UVM's Information Security Operations Team answers "Why?" Why?security


Ransomware Alert

A new form of malware is making its way to the University of Vermont: Ransomware is a particular form of malicious software which prevents you from accessing your own data.  Once the software has locked down any data to which you have access, it demands that you pay a ransom in order to have access restored.

To avoid ransomware and/or reduce its impact, take the same precautions you’re already taking to avoid malicious software attacks:

  • Make sure all critical files are backed up. If you use files.uvm.edu, data is already backed up for you. However, anything stored on your desktop or laptop hard drive, removable media, or other file services could be at risk and should be backed up before you suffer an attack.  If you are unsure about backups, check with your local IT person.
  • Slow down and scrutinize all email with attachments.  Are you expecting this particular email and this specific attachment? If in doubt, call the sender and ask.
  • Disable macros when opening Microsoft Office documents (Word, Excel, etc.). Most files will work without them. Seek help, otherwise.
  • If you receive an email from yourself with an attachment, and you do not recall sending the email, do not open the attachment. This trick has been a particular favorite in cases we have observed.

If you think you may be the victim of a ransomware attack, take the following steps:

  • Shut down your machine and disconnect from the network to limit the scope of damage.
  • Do not pay the ransom. There’s no guarantee that paying will get your data back.
  • Contact your local IT person. They will help you triage the problem and will escalate to the Information Security Operations Team as appropriate.

Enterprise Technology Services continues to update its safeguards against these attacks and others but the malware changes rapidly and can sometimes evade detection long enough to arrive in your Inbox. Your vigilance is our last line of defense against this kind of attack.

If you have questions or concerns, get in touch with the Information Security Operations Team at iso@uvm.edu.

Income Tax Fraud: How to Protect Yourself

Nationwide, many taxpayers have attempted to file their federal and state income tax returns, only to find out that criminals have already filed fraudulent returns and claimed refunds.  The Vermont Department of Taxes explains:  

Refund fraud occurs when a criminal uses stolen identification of a taxpayer, including Social Security Number, to create a phony return.  Often the criminal will use software to generate fraudulent returns in multiple states using the same stolen identification. Identity theft is a well-known problem, and can result from a data breach, scam, or loss of a wallet.

Last year, the IRS reported 875,000 cases of tax identity theft, and news reports indicate that fraud continues at a high rate this tax season.   UVM is aware of fewer than two dozen employees who have been victims of this type of fraud.  There are numerous potential sources of the personal information needed to file a tax return, and investigations into the cases reported by UVM employees, which are continuing, have not shown evidence of a compromise of UVM databases or information systems.  Stolen personal information, such as Social Security numbers stolen in widely reported corporate breaches, is readily available in underground marketplaces, and finding additional information such as employer EINs is facilitated by free online databases.  

How to Protect Yourself

If you’re notified by the IRS or a state tax department that someone has filed a fraudulent tax return in your name, take these steps to  resolve the issue and protect yourself: 

  • Follow the steps suggested by the IRS and the Vermont Department of Taxes, including: 
    • File a report with law enforcement (your local police department) 
    • File a complaint with the Federal Trade Commission 
    • Respond immediately to any IRS notice 
    • Complete IRS Form 14039, Identity Theft Affidavit 
    • Continue to pay your taxes and file your tax return, even if you must do so by paper 
    • Contact one of the three major credit bureaus to place a fraud alert on your credit records 
    • Notify UVM’s Information Security Operations Team at iso@uvm.edu, or UVM Police Services 
  • You may also want to: 
    • Contact your financial institutions, and close any accounts opened without your permission or tampered with
    • Check your Social Security Administration earnings statement annually 

If you’ve been notified by a company or organization that your personal information has been compromised, even if you’re not a victim of tax return fraud, follow the steps above with the exception of the IRS-specific items.  

Additional sources of information and guidance: 

Identity Theft (UVM Police Services)

Tax-Related Identity Theft (Federal Trade Commission)

What to Do if Someone Has Already Filed Taxes Using Your Social Security Number (Intuit) 

IRS Tackles Tax Identity Fraud (Wall Street Journal) 

IRS Struggles to Help Victims of Identity Fraud (Fiscal Times) 

Please contact the Information Security Operations Team at iso@uvm.edu with any questions, concerns, or suggestions.  

Passphrases and multifactor authentication

IT Colleagues,

If you find yourself challenged to help those whose IT needs you support understand the importance of strong passwords, how to choose one, or why to use unique passwords, this month’s OUCH! newsletter may be useful.  You can download it from securingthehuman.org [1].

The newsletter also covers two-step verification or multi-factor authentication (MFA) [2].  While passwords are a single factor (a secret you know), MFA adds factors that someone who’s stolen your password won’t have: something you possess, something you are (a physical characteristic), or somewhere you are (a location or a trusted device).  Most people have experienced MFA with ATMs or online banking, and for good reason: it’s way too easy to steal passwords, either through social engineering or device compromise (e.g., key loggers).   A strong password is no defense against those threats.

Multi-Factor Authentication at UVM 

At UVM, we’re on track for a record year of Net-ID password compromises (95 so far in 2015, compared to 61 in the first three months of 2014, 350 in all of 2014, and 102 in 2013).   Compromised accounts are most often used to send spam, but more dangerous uses have been seen, with potentially catastrophic consequences for UVM and for the information resources, often very personal and sensitive, that we’re entrusted to manage.

With the diminishing effectiveness of passwords, UVM needs to expand our use of MFA.  People have been using RSA SecurIDs for access to Banner and some VPNs for a long time, making it all but impossible to access those systems with a stolen password.

The PeopleSoft system is next.  The recently implemented switch to using Webauth to log in to PeopleSoft has laid the foundation for MFA for that system.  SecurIDs will be supported, but most people who don’t already have SecurIDs will be able to choose several alternatives, including a USB key fob from Yubico, a smartphone app (Duo Mobile), a text message, and even a phone call.   A pilot population is using MFA with PeopleSoft now, and discussions with data stewards and affected groups will determine the roles that will be required to use MFA, and who will be able to opt in.

In the mean time, I hope this month’s OUCH! newsletter will shed some welcome light on good passwords and multi-factor authentication.

[1] http://www.securingthehuman.org/ouch/ 

[2] http://en.wikipedia.org/wiki/Two_factor_authentication 

Best regards,

Dean Williams

Information Security Officer

Enterprise Technology Services

Dean.Williams@uvm.edu | 802-656-1174  

Find information security news, best practices, and how to report concerns on the UVM Computing Web site:


The time for Encryption and Workstation Management is Now

IT Colleagues,

Protecting the huge variety of information the University collects and manages is everyone’s responsibility.  For those of us with IT roles, people whose IT needs we support look to us to provide safe and secure ways to manage information.  The need is particularly critical when it comes to protecting personal and private information on students, employees, research subjects, and other affiliates.  No one wants to be responsible, even by accident, for exposing personal information that could cause harm to individuals, impact UVM’s reputation, and incur significant costs.

As IT people, it’s our responsibility to help others work securely, including implementing critical laptop and “desktop” protections such as encryption and domain joining.  Some protections are mandated by policy, and others are best practices.  ETS can help.

How We Need to Help

One of the most important ways we can help our clientele work securely is to help them secure their computers and other devices.  The Information Security Procedures mandate several precautions that IT personnel generally need to set up for their clients:

  • Encryption of UVM- and personally-owned devices that could carry institutional data
  • Use of University storage and email (rather than external, cloud services)
  • Malware protection
  • Automatic software updates
  • Software that is supported with prompt security fixes (especially operating systems)
  • Requiring a password for start-up and wake from sleep or screen saver (ten-minute time-out)
  • Destruction of data when a device is transferred or recycled
  • Protection from theft

In addition, best practices include:

  • Working as a nonprivileged user, without administrative rights (a separate admin account can be set up for use only when needed)
  • Workstation management via joining Windows computers to the Campus domain and, for Macintoshes, Casper
  • An inventory of all departmentally owned IT equipment

Encryption Works Now

Any University-owned laptop computer used to access UVM non-public data or file services must have its storage system encrypted using a University-approved encryption system, with UVM retaining the encryption key.  That’s a very good idea for “desktop” computers, too, since they also are subject to theft.  When devices are stolen, encryption gives UVM a safe harbor under privacy protection laws such as Vermont Act 162; without encryption, legally mandated investigation and notification steps are time-consuming and can be expensive.

PGP Whole Disk Encryption was far from easy and problem-free, and consequently, the number of laptops protected by encryption has been low.  But with BitLocker for Windows and Casper/FileValult for OS X, we really must finish the job and get all laptops encrypted.  Encryption is mandatory for all laptops and portable devices — and it’s a feasible, reasonable precaution for desktops, as well.  The best way to ensure compliance is to use centrally provided deployment services for each platform and ensure encryption is enabled at deployment.  All new laptops configured by the ETS Client Services Computer Depot will have BitLocker or Casper/FileVault encryption, and ETS is discussing configuring new desktops for encryption.  For computers that are already in service, ETS can help, and instructions are available.

Encryption works now; let’s take advantage and use it.

One-Step Security: Join the Domain 

Managing UVM-owned computers through Active Directory (Windows) and Casper (OS X) is the best way to take care of key usability, support, policy compliance, and security needs — while preserving user flexibility and local control.  It works well.  It encourages consistency.  It enhances security.  It ensures legal safe harbor for stolen devices by proving encryption status.  It keeps an inventory.  And it’s free.  Contact saa-ad@uvm.edu for more information.

Providing and enforcing a secure computing environment involves a mix of best practices and actions that are mandated by policy or by law.   I recognize that the urgency of putting out today’s fires can push security to the back burner, but in the long term, letting security slip will have a greater and more painful cost.  I hope that each of us will do everything we can to give it priority.

Are there ways that ETS or the Information Security Operations Team could help you provide and promote good security?  Please let us know.

Best regards,

Dean Williams

Information Security Officer

Enterprise Technology Services

Dean.Williams@uvm.edu | 802-656-1174  

Find information security news, best practices, and how to report concerns on the UVM Computing Web site:


Someone Stole My UVM Password; Now What?

You’ve probably had your UVM Net-ID locked because someone stole your password and started doing horrible things using your account, like sending spam or launching Internet attacks.  Enterprise Technology Services Account Services can get your account unlocked (call them at 656-2006) — but there are some critical steps you should take right away to protect yourself and others.

If don’t know for sure how your password was stolen, it’s possible that your computer system has been infected with a virus or other malicious software (malware), so your next step should be to take action to protect your data and prevent your computer from being used to attack others.

Secure Your Computer

Ensure your computer is current with all available patches, fixes, and upgrades. If you do not have your operating system set to automatically update, do so now by visiting your operating system’s website and following the instructions.

Your computer’s security software should also be up-to-date. To check status, click on the icon for the security program on your system. If an update is needed, it will be indicated here. If you don’t have security software installed, you need to get it. Make sure you have anti-virus and anti-spyware software installed and a firewall enabled.

Confirm that your browsers are up-to-date. Tools such as Qualys BrowserCheck or WhatBrowser can help assess status.

Visit the Carry-In Center in the Davis Student Center for assistance.

If your computer checks out clean, it’s possible that another computer, tablet, or phone that you’ve used recently is infected.

Secure Your Accounts

You probably access numerous online accounts, including social media, banking, news sites, shopping, and others. If you’ve been hacked, there is a chance that important passwords have been stolen. Reset your passwords for your critical accounts first, starting with your email account, followed by financial and other critical accounts.  It is important to start with email accounts, since password resets for all of your other accounts are typically sent to your email.

Use separate and unique ID/password combinations for different accounts and avoid writing them down. You may want to use a password manager such as 1Password.  Make the passwords more complicated by combining letters, numbers, special characters, and by changing them on a regular basis.  If you are unable to log into one of your accounts, contact the service provider or website immediately. Most online providers include an online form, an email address to contact, or a phone number to call.

Secure Your Mobile Device

Mobile phones and tablets are also subject to attack. As we do with our personal computers, we have to ensure that the proper steps are taken to protect our information and devices. This includes installing security software, where available, and keeping all installed software up-to-date.

For More Information

You’ve been hacked, now what?

Your Email’s Been Hacked! Now What?

You Got Hacked! What Now?

Hacked: Now What?

I’ve Been Hacked! Now What?

You’ve been hacked! Now What?

Adapted from The Center for Internet Security (CIS).

Visiting Questionable Websites (or, Using Your “Internet Hazmat Suit”)

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:


With each phishing campaign that’s conducted against UVM’s students, faculty, and staff, the Information Security Office receives dozens of notifications from astute members of the community who recognize the email messages for what they are: a scam aimed at co-opting someone’s legitimate access to UVM’s information resources.

Occasionally, these notifications include a comment like, “I knew the email was a phish, and clicked the link. Wow, was that ever a poor excuse for a website!” (or “…Wow, the site looked exactly like myUVM!”). While we appreciate the heads-up and certainly understand folks’ curiosity, the sad fact is that even the simple act of visiting one of these websites can cause trouble by forcing your browser to make unauthorized requests, instigating malware downloads, or even by commandeering your web browser for control by nefarious puppeteers.

What’s the astute-yet-curious Internet citizen to do?

In short: Leave it alone, unless you’re willing to undertake a fair amount of work. Seriously: The Bad Guys have gone out of their way to take Everything That’s Nice About the Internet and turn it against us.

You’re still here? OK, there are a few techniques that someone willing to go the extra mile (well, frankly, a few extra miles) can use to investigate suspicious sites in relative safety. But even all of these are only a hedge, and not a guarantee that nothing Bad will happen to your computer/mobile device/information. Caveat lector/Lasciate ogni speranza/Here be dragons, etc.:

The “one-time experiment” approach: A separate user account on your computer.

The easiest entrée into Fearless Acts of Internet Investigation involves becoming someone else…sort of. Modern computer operating systems (including Windows, OS X, and Linux) leverage the concept of the user account. Whether you know it or not, each time you use your own computer, you log in as a particular user (even if you don’t use a password). In most “consumer computing” cases, that user is also an administrator of the machine’s operating system, meaning that it is capable of doing just about anything to that computer including installing malware like viruses and keyloggers.

The trick to safely investigating suspicious Internet sites is to NOT have that capability. Here’s how to do it:

  • Be certain your OS, web browser, and anti-virus/malware protections are fully up-to-date. It would be sad to do all this work only to be nailed by something that’s already been addressed, no?
  • Copy the suspect link to a piece of paper. Seriously? Yes: Where we’re going, you won’t be able to copy/paste between “here” and “there”…
  • Create a non-administrator user account. On both Windows and OS X computers, this is called a “Standard” user.
  • Switch to this newly-created user account. The process differs between Windows and OS X.
  • Disable JavaScript, Java, Flash, and ActiveX in your web browser. This will address common avenues for “silent” delivery of downloads and remote control of your browser. Again, different processes for different browsers like Firefox, Chrome, Internet Explorer, and Safari. Search engines like Google, Bing, and company are your friend, here.
  • Visit the site. (You’ve been so patient!)
  • STOP if you are presented with prompts that request Administrator privileges or the installation of browser plugins. (We’re specifically trying to rob the website of these capabilities, remember? :-))

It’s important to note something here: In disabling all those browser capabilities/plugins (JavaScript, Flash, etc.), we’ve traded “fidelity” for “safety”. In other words, the site you visit may not look as intended without those bells and whistles enabled, so it could be difficult to tell whether it’s a clone of myuvm.uvm.edu, or trying to do something sneaky like turn your browser into a zombie. The antidote to this is the next method, below.

The “dedicated” approach: A virtual machine.

A “virtual machine” is basically a second computer running inside your computer’s operating system. The great thing about virtual machines is that they can generally be copied. So you can, say, create a very basic virtual Windows or Linux machine template on your Windows, Mac, or Linux computer, make a copy of it to use when visiting unsavory websites, and then throw it away when you’re done. The next time you find yourself itching to check out another questionable site, make another copy, use that, throw it away when done. A lot like a disposable hazmat suit!

Popular virtualization technologies for desktop computers include VMware products for Windows computers and Macs, VirtualBox for both, Parallels Desktop for Macs, and KVM and Xen for Linux. You could even try out one of the free cloud offerings from the likes of Amazon if you just want to dip your toe in the water without installing software on your own computer. (Please note that UVM doesn’t formally endorse or support any of these products, even though they may be in use by various units. Caveat emptor/your mileage may vary.)

The advantage of this method over the “separate user account” approach is that the isolation from your everyday operating system (known as the “host OS” in virtulization lingo) is more complete, so you can let the browser run active content (JavaScript, Flash, etc.) and get the “full website experience” with more confidence. This does make it important that you destroy the virtual machine when you’re done, since it’s basically a full-fledged computer which you’ve just exposed to a bunch of Internet contagion. Which means, if it does catch some Exotic Internet Flu, it will be an infected computer with access to other computers on your home network/UVM’s network/the Internet.

Wait: What about my phone/tablet?

Sadly, there aren’t a lot of great options here for mobile devices. For better or for worse, most mobile device operating systems (like Android, iOS, and Windows RT) only support one all-powerful user account, so the “create a non-administrator user” option is out. (Notable exception: Windows Surface tablets running Windows 8.) And while there are some “sandboxing” options that mimic running virtual machines on these devices, they’re generally part of expensive enterprise mobile device management packages. Certainly it’s possible to remotely control a virtual machine using special apps on your mobile device, but you still have to have a virtual machine to control.

So, as of this writing: Stick to a laptop or desktop computer. (But look for that to change in the future. Maybe.)

That’s pretty involved.

If both of those approaches seem like a bunch of work, it’s because they are. Over the last two decades, computer operating systems and web browsers have developed capabilities for the rapid acquisition (read: download) of content, convenient installation of software (easy-to-use administrator accounts), and a rich interactive experience (JavaScript and friends), and hacking techniques have evolved to take advantage of those capabilities for nefarious purposes. So, in order to have a truly safe experience when visiting potentially-dangerous websites, one really needs to short-circuit a whole bunch of features that the modern Internet user takes for granted.

Is it possible to do this? Yes, if you’re committed to taking appropriate precautions. Is it for everyone? We leave that up to you.

So, in conclusion…

We encourage you to STOP before clicking the link in that scam email.

Then THINK about what information you might be putting at risk by visiting that website on the device you’re currently using (your phone? tablet? laptop?) — How many passwords are saved on there? What’s in the files contained in its local storage? Have you logged into your bank using this device? Did you ever log off?

Finally, CONNECT only if you’ve taken the extensive precautions required in order to do so safely.

Questions or comments? Get it touch with us: iso@uvm.edu


Safe surfing,

Sam Hooker, for the Information Security Operations Team

Physical Information Security for Everyone

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:


As weird as it might seem, there are physical aspects to securing information about you: Before your data are stolen or corrupted, there’s a need to keep track of devices and media containing information about you and your life. After someone acquires your data, there’s the possibility it could be used against you in the real world (online banking theft, physical robbery, extortion, and, in extreme cases, physical violence).

We encourage you to STOP before leaving your laptop or phone behind in a public area during trips to the restroom; before tossing your class schedule into the recycle bin unshredded; before posting information about your physical location, upcoming vacation (OK to post afterwards!), or financial habits.

Then THINK about the possible implications of this action; whether the links in that email or text message point to an official UVM website; whether you even have an account with that bank; whether Facebook is really likely to have forgotten how to use spell-check.

Finally, CONNECT with your surroundings, both virtual and physical: Is this a safe place to leave my laptop? Does this website seem sketchy?

A tiny pause can mean the difference between an enjoyable experience and a messy situation. It may seem like a lot to ask, but while we can’t claim this will make you invulnerable, it won’t be long before you don’t even realize you’re doing it.

Safe surfing,

Sam Hooker, for the Information Security Operations Team

Why would anyone want my NetID and password?

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:


Ever wonder why you get all those messages asking you to “Confirm your account now!” or “Login today or your email permissions will be revoked!” or “Verify your password or else!” or any number of other threats with a link that brings you to a site that might be a UVM-looking page (or not)?

The reason is simple: Your username and password opens a lock. Unlocking that lock permits the user onto the UVM network (from anywhere in the world), gives them access to your email, and may allow logins to other UVM systems with access to all the same information you have.

And if you happen to have used the same username and password on other sites there could be money at stake (your bank? Amazon?). Could be that they can access other information about you that can be used to set up an identity that looks, electronically, just like you and can open the door for medical fraud, financial fraud, and other cyber crimes that can haunt you just as you are about to buy a house, get your first credit card, and snag you during a background check for that job you always wanted.

Protecting something as simple as your NetID and password now can help you avoid these problems in the future.

We encourage you to STOP before entering in your password on a site that was linked in an email. STOP before reusing that same password on multiple sites. STOP before posting information about yourself that may hint at what your password is. (Fortunately, it’s easier to change your password than rename your dog.)

Then THINK about the possible implications of this action: Would anyone really close your account because you didn’t respond to one threatening email? What are the consequences of not entering your username and password?

Finally, CONNECT with the sender’s organization to find out whether the message was real or a scam. Work with your bank/retailer/organization to have more options than a simple username and password combo to access their services.

A little effort now can help you avoid future mayhem, or at least reduce the effort necessary to undo the damage when your username and password are compromised.


Darcy Pientka, for the Information Security Operations Team

Situational Awareness for Everyone

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:


Paying attention to what is going on around you can go a long way toward keeping you and your data safe online.

We encourage you to STOP before automatically connecting to that open WI-FI hotspot.

Then THINK about both the name of the network you are connecting to — Is that actually the Starbucks WiFi network? — as well as the transactions you are performing over WiFi; make sure that any web transactions — especially shopping and banking — are only to secure web sites indicated by https:// in the URL instead of just http://. NEVER click through “invalid-” or “expired certificate” errors on shopping or banking or University websites.

Finally, CONNECT  with caution.

In addition to the caveats above, consider using a VPN to protect your data in transit over an open WiFi network. A VPN creates an encrypted tunnel between your computer and the VPN server, thus protecting your data.

Note: sslvpn.uvm.edu is available for use by any UVM affiliate.


Lynne Meeks, for the Information Security Operations Team

Traveling Abroad without Making the News (Mobile Tech Edition)

Occasionally, a member of the community approaches the ISO Team to ask for our advice on traveling safely with mobile technology. While individual circumstances (including the nature of the mobile technologies/data in play, the nature of the trip, the particular destination) will dictate specifics, our general recommendations (below) will cover a lot of ground for a lot of folks.

  1. Unless there is a tremendously-compelling reason to do otherwise, leave your normal work machine (with your years of research data, UVM/previous employer’s email, grant proposals, intellectual property, personal finances, countercultural rantings, etc.) at home and take a loaner machine (provided by your Helpful IT Folks) containing only the materials necessary for the trip.
  2. This loaner should be wiped and get a fresh OS install to keep from leaking data belonging to the *last* person who traveled with it…and to keep the new traveler from picking up any *ahem* latent “gifts” acquired by the last user. Set all installed browsers to clear all private data on session termination, and disable (browser-based) password storage.
  3. Make liberal use of webmail.uvm.edu, webfiles.uvm.edu, and sslvpn.uvm.edu while abroad.

These suggestions apply to smartphones/tablets/Google Glass/smart watches/any other device that stores data which could be 1) a liability to the university if lost or 2) embarrassing to the user if confiscated. Or data the export of which is controlled under ITAR rules. (Yes, that applies to Higher Ed.)

[Edit 8 November, 2013: It’s worth considering, too, that not all travel destinations feature the robust freedoms of expression that we enjoy in the U.S., so feel free to substitute/append “…or could precipitate your detention if confiscated and found to be at variance with local law.”]

Why incur this much potential inconvenience? One reason is that humans have a tendency to (subconsciously) downplay the risks inherent in the data they tote around on a daily basis, and while “safe” might cost them an extra few hours over their two-week trip, “sorry” can manifest in more…time-consuming ways.

Incidentally: Simply having the storage encrypted doesn’t suffice in a number of travel zones, as customs officials may be invested with the authority to compel the owner to unlock/decrypt it. (And encryption is illegal in certain jurisdictions.)

Want to share your own tips/travel-tech stories? Got questions? Need to chat about your specific circumstances? Please let us know! As usual, we can be reached at iso@uvm.edu.



Sam Hooker, for the ISO Team

Skip to toolbar