June News from Information Security

Summer is upon us! With all of the things that go on here at Berry during the summer, I am endeavoring to keep this newsletter somewhat brief, but still informative. First, there is some late-breaking news about a new vulnerability in Microsoft Windows and Office. If you read nothing else in the newsletter read this first section, unless you are a Mac user…if so, you can safely skip it if you NEVER use a Windows machine. After that, we’ll consider the question of where have you been and what have you done over the last thirty days. If you don’t remember, and you have a Google account, then Google knows. While all of the things you did were most likely a mix of work and personal activities, I’ll offer you an encouragement to attempt to keep those activities and the data resulting from them separate. Finally, some updates…actually, there are LOTS of updates. I’ll update you on the important ones.

There is a new vulnerability in Microsoft Office and Windows (yep, Mac users, as I already mentioned, you can skip this section) that bypasses many of the safeguards in place to protect you from malicious documents. This new vulnerability only requires you to open the document. There is no other interaction required and there is no indication that anything is happening other than the fact that you are staring at a blank or unfamiliar document. Importantly, Outlook is vulnerable, so an email formatted as HTML (the default in Outlook) could trigger this vulnerability. Read the previous sentence again. One more time. If you are one of those people who use the preview pane in Outlook, I highly recommend you turn it off, at least until an update is applied to mitigate this risk. Also, at least until you have updated, turn off the preview pane in Windows Explorer also, as a preview is all that is required, based on current information.

As always, be VERY careful with emails from unknown senders. If the subject line also seems “phishy”, I suggest you not open the email in Outlook. If you absolutely must read the email to be sure it is not a phishing email, I would suggest you read it on your phone, which would not be vulnerable to this exploit. You can then report the email if it does appear to be fraudulent, if you are using the Outlook app on your phone. As usual, don’t open any documents you are not expecting. Report any suspect emails with attached documents via the Report Email as Phishing button.

The good news about this new vulnerability is that we have already sent out updates to college managed computers to protect them. If you want to make certain you receive this update, take a few minutes to reboot your machine, which should apply the update during the startup process. For your personal Windows machines, be sure to update your antivirus/anti-malware software as soon as you can, but particularly before viewing emails in Outlook (if you use it) or opening Office documents you receive unexpectedly in an email (but you already know not to do that, right?).

We use our phones, web browsers, and computers for everything these days. A huge number of us have Google accounts for something, even if it is not email. Maps, office apps, cloud storage, YouTube-it can all be connected to Google. Type the following URL into your browser, or simply click on it – https://myactivity.google.com. If you are not signed in to something Google, there will be a link to do so. Once you are signed in, you can see everything that Google saw you do over the past few days. This could include where you were, what locations you searched for, what documents you opened in Google Drive, what videos you watched on YouTube, what sites you opened in your browser, and any other thing Google can track based on the privacy settings for your Google account. If you are horrified by what Google knows about you, these settings can be adjusted right from the links on the My Activity page. Take a look, but don’t be surprised if Google remembers something you don’t…

With all the tracking that goes on from Google, Facebook (or Meta, if you prefer), and other companies, the entanglement of our personal and professional lives is inevitable, even if in just a minor way. To speak honestly, the Internet stays in a perpetually dangerous state, as the good guys and the bad guys go back and forth in a digital war to protect or attack everything they can. It is with this background in mind that I suggest you make every effort to keep your personal and professional data separate. What do I mean by that?

  • Don’t use your Berry email address to sign up for services, unless your eligibility for the service is based on being a Berry employee and your eligibility is verified by having a Berry email address. This was acceptable way back in the previous century when email addresses were more difficult to come by, but with the plethora of options available now, there’s no reason to use your Berry account for most services and websites.
  • Don’t store work documents in your personal cloud storage, or transfer them to personal storage devices like USB thumb drives or external hard drives. If you have a college provided external hard drive or other storage device connected to your desktop for backup purposes, that is different. This recommendation is to protect Berry’s data from loss in the event a personal device is lost, damaged, or stolen.
  • Along those same lines, don’t store personal documents on your work computer or in your work cloud storage. Especially don’t keep an “only copy” of data either of these places. Berry is not responsible for protecting, archiving or transferring this data. This is more about protecting your data than Berry’s, but in the case where a personal file might get infected with malware, it is also ultimately to protect Berry’s data and environment.

Don’t view this as some kind of ban on personal use. We all, at some point, will do some personal work on our work computer, if we happen to have one. This is allowed by the Acceptable Use Policy, but please don’t abuse this privilege. The less mixing of personal and professional data, the better, but if you have any questions about that, please don’t hesitate to ask me. I’ll field “hypothetical” questions if that will make you more comfortable asking.

Finally, updates, updates and more updates. As usual, make sure your browser is up to date. Both Chrome and Firefox are past version 100 now. Firefox is at 100.0.2 and Chrome is at 102.0.5005.63. Also, the iPhone has an update out. The latest version of iOS is 15.5. Go to your settings and check what version you have. If you don’t know how, check out this article on the Apple site. Finally, make sure your Zoom client, if you have it installed, is up to date. The latest as of this writing is 5.10.7. If your Zoom client is out of date, it should tell you when you launch it and ask to update. If it does not, click on the account icon in the top right of the client. It will have your initials or a picture there. On the menu that opens choose “Check for Updates”. That’s it. I hope this newsletter was helpful and not too disturbing for you Windows users.

With MFA enabled on your Berry account, you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.

If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the current posts page.

You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted.

Food For Thought

This month’s food for thought is an interesting chapter opening quote from a science fiction book series I read earlier this year. J.M. Anjewierden has a series of books called The Black Chronicles, available on Amazon (this is not a commercial for the series, just an explanation of where the quote came from) which is actually still awaiting the next, hopefully last, entry to be published. I realize the reaction to this food for thought may be…mixed, but I am not espousing a political position, just passing along some food for thought…

There is very little a government does well. Wasting time and money is, perhaps, not one the public wishes was among its strengths, but many prefer that to its other main strength, that of the utilization of force. – Councilor Jorge Peterson, Diet of Nomad (From Black Holiday, by J.M. Anjewierden)

Featured Image:

Photo by Clint Patterson on Unsplash

(Visited 174 times, 1 visits today)