Build a Resilient Cybersecurity Environment – Page 3 – University of Florida Information Technology News

ChatGPT: Guidelines for Campus Usage

Posted on April 17, 2023April 25, 2023

Responses provided by the ChatGPT application can save time, but beware: the data you input or ask the app to develop may be retained and provided as responses to other users. ChatGPT users have very limited control over its use of the data provided to the app, and its parent company–OpenAI–does not currently offer a process to amend or delete entries submitted. UF’s Privacy Office and the UF Information Security Office want everyone in the Gator community to understand that putting data into ChatGPT or a similar service is equivalent to disclosing the data to the public.

ChatGPT is currently being assessed for regulatory concerns related to privacy and confidentiality of data. University of Florida data classified as sensitive or restricted is not approved for use with ChatGPT. Sensitive and restricted data includes:

• Social Security Numbers
• Education Records
• Employee Data
• Credit Card Numbers
• Protected Health Information
• Human Subject Research Data
• Unpublished Research Data
• Personally Identifiable Information

An assessment of ChatGPT has been added to the university’s technology solutions website: https://irm.ufl.edu/fast-path-solutions/items/chatgpt.html. Remember that all faculty, staff, and students share the responsibility of keeping UF information secure. Visit the Office of Privacy website for additional information on using ChatGPT.

Prohibited Technologies Announced by Board of Governors

Posted on April 6, 2023

The University of Florida has complied with the State University System (SUS) Board of Governors Emergency Regulation 3.0075 – Security of Data and Related Information Technology Resources, adopted on March 29, 2023. Regulation 3.0075 requires SUS institutions to remove technologies listed on its Prohibited Technologies List from any university-owned device. Additionally, these technologies must be blocked from the university’s network.

Effective immediately, the installation or use of Tencent QQ, TikTok, WeChat, VKontakte, and Kaspersky on any university-owned device, network, or to conduct any university business including marketing and advertising, is prohibited. Faculty and staff that have any prohibited technologies installed on a university-owned mobile device or computer are required to remove them and cease their use. The prohibited technologies are also now blocked from use on any UF Wi-Fi network.

UF strongly recommends discontinuing use of the prohibited technologies and removing the apps from personal devices as well. Taking this action will help protect personal information as well as university data. University information security staff continuously evaluate technology vendors, software products, and services. UF maintains a list of approved technologies on its Fast Path Solutions website. High-risk software and services that present an unacceptable level of cybersecurity risk are listed as ‘not permitted for use’. More information on the university’s response to SUS Emergency Regulation 3.0075 can be found on UFIT’s https://security.ufl.edu/resources/prohibited-technologies/ webpage.

Avoid Public Wi-Fi

Posted on March 23, 2023March 29, 2023

Traveling this summer? Avoid public
Wi-Fi networks as much as possible.

Using public Wi-Fi is easy because they don’t require a password. However, free unsecured access can allow hackers to watch every keystroke–as you log into bank accounts, GatorMail, make purchases, and access other files. In just seconds, all your personal and financial information can be stolen. According to Forbes, four in 10 people have had their information compromised while using public Wi-Fi.

Restaurants, hotels, and airports are among the most popular places people use unsecured Wi-Fi. Airports offer the perfect cybercrime environment. As people use public, unsecured Wi-Fi to read their emails or check the weather at their destination, someone might be tracking every click. How? One way is that hackers create free public Wi-Fi access networks with names that sound like the official airport Wi-Fi network. For instance, which would you log into: ‘CLT Free WiFi’ or ‘Charlotte Airport WiFi’? If you selected the wrong one from the list of available networks that pop up on your phone, then with just one click you are gifting all your personal information to a hacker. We are all addicted to connecting with friends, work, and family. But remember, you should only use encrypted or password-secured networks. Also, use UF’s VPN connection, so what you do send and receive is encrypted.

Visit https://news.it.ufl.edu/security/safe-travel-is-smart-travel-cyber-vigilance/ for more tips on information security and travelling safely.

Falling for a Phish Can Lead to an MFA Bombing Attack

Posted on March 16, 2023March 16, 2023

Phishing attacks are frequently carried out through emails or texts that appear to come from a reputable source. Cybercriminals are skilled at using deceitful tactics to trick users into revealing personal information such as logins or credit card information. Common phishing tactics include:

• Unsolicited work opportunities that lead to requests for bank routing information, or ask the new “employee” to purchase supplies, with the promise of reimbursement
• Messages warning of an imminent deactivation of your accounts, such as bank accounts, social media accounts, or subscription services
• Emails allegedly from the IRS, FBI, or other federal agency threatening legal action, and directing you to imposter websites requiring you to enter personally identifying information
• Urgent requests from fake email accounts impersonating a high-level person in your organization, asking you to purchase gift cards or submit your credit card information.

Pay close attention to any email asking for GatorLink login credentials. Unauthorized access to your GatorLink account can expose your personal or academic information. Once a GatorLink login is compromised, the attacker may repeatedly spam Duo Push requests to your device — otherwise known as “MFA Bombing” — hoping you will accept just to make the requests stop. Approving an unexpected Duo request gives the criminal access to your account. Visit the MFA bombing webpage to learn more about this form of cyberattack.

Simplifying Access to HiPerGator

Posted on February 2, 2023

UF is simplifying research collaboration across the state and around the world. Research and teaching faculty from InCommon federated institutions can now utilize HiPerGator, the University of Florida supercomputer, without having to apply for GatorLink account credentials. UF is an InCommon Federation member, one of more than 500 universities and research institutions worldwide. InCommon is a multi-institutional exchange enabling members of higher education affiliates to use their digital credential for access to systems and services at member institutions.

Expanding access via the InCommon Federation saves time by reducing administrative overhead for non-UF faculty, students, and staff who would like to leverage HiPerGator. Federated access removes the manual steps since the validation has already occurred at the participant’s institution.

External researchers must still be sponsored by a UF principal investigator or UFIT staff member before HiPerGator can be accessed. Instructors with State University System of Florida or Southeastern Conference institutions who would like to incorporate HiPerGator into their teaching also still need their requests approved by Research Computing, so the proper training and consultation can be scheduled and compute resources can be allocated. Anyone with questions about requesting a federated HiPerGator account can learn more on https://www.rc.ufl.edu/get-started/hipergator/request-federated-hipergator-account/.

MFA Bombing On the Rise at UF

Posted on January 9, 2023

MFA bombing attacks are increasing at UF. MFA bombing is a tactic used to circumvent your UF account’s multi-factor authentication measures. During an MFA bombing, the attacker uses your stolen username and password to repeatedly send ‘Duo Push’ notifications and/or phone call requests, hoping after multiple notifications you will give up and approve the Duo request. Approval will give the attacker access to your GatorLink account. If an attacker can MFA bomb you with repeated Duo requests, it means your GatorLink password is compromised and the attacker is trying to sign in using the stolen password.

To stop the onslaught of Duo attempts, you’ll need to reset your GatorLink password. Visit the GatorLink Account Management portal, select “Forgot/Reset Your Password,” and follow the prompts after selecting “Self-Service Reset.” You will be asked to provide your UFID, Gatorlink username, and additional information used to verify your identify.

It is important to use “Forgot/Reset Your Password,” and not “Change Your Password,” because the latter requires you to sign in–and you may accidentally approve the attacker’s Duo Push instead of your own requested notification!

The Duo requests should stop soon after resetting your password. (It may take a few moments for the attacker to get kicked out.) For more information on MFA bombing, visit UF’s Information Security website’s MFA bombing page.

Avoiding Scammers This Holiday Season

Posted on December 19, 2022December 19, 2022

We are ordering more online nowadays. Broader selection, convenience of shopping from the couch, and increasingly no-charge shipping and returns makes online shopping more attractive than going to an uninspiring mall. Know who else finds online shopping very attractive? Scammers.

Scammers can get a lot of information by following the breadcrumb trails we leave when searching online. (Another reason to clear cache and cookies.) This allows them to create very realistic ways to scam you, including:

Order Confirmation Scams. These are unexpected calls, texts, or emails that often refer to an unauthorized purchase and ask you to act urgently to confirm or cancel the purchase. Scammers try to convince you to confirm payment method (such as providing your credit card number) or your bank account number, or to install malicious software onto your computer/device.

Tech Support Scams. Scammers create fake websites and then text you the URL, claiming to provide tech support for your recently purchased devices. Customers who visit these pages can fall for schemes like paying for a support contract, getting a device repaired, or purchasing of accessories that will never arrive.

UFIT has additional information online to help you identify online scams. Keep your personally identifying information and your money safe, Gators!

Clear Your Search Histories

Posted on November 21, 2022November 21, 2022

Did you know your online activity — including the sites you visit, places you view on Google Maps, videos you watch, and more — is tracked and stored? Companies, both legitimate and malicious, use cookies to learn what you do online. How? Companies keep records of your online activity by using a Third-Party cookie, which links the activity from your browser back to the profile they have of you. From there, your information could become compromised and shared with groups interested in stealing your personal information or compromising your university.

Regularly clearing your cookies can help limit this surveillance because doing so breaks the link that companies rely on to identify you. Clearing cookies is easy! If you use Google Chrome, first open your browser, then → Open the “Options” menu located near the top right corner of the window → Select “More Tools” → Select “Clear Browsing Data” → To delete everything select “All Time” → and then “Clear Data.” That’s it! The steps can vary slightly depending on the device and browser used, so visit this page for information on how to clear cookies in your preferred browser.

Learn more ways to keep your personal data private by visiting UF’s Information Security Office website.

Cyber Bowl 2022: Beat FSU!

Posted on October 3, 2022

For Cyber Security Awareness Month, Florida State University’s Information Technology Services (FSU-ITS) challenged UF to a Cyber Bowl, an online game played on the virtual playing field. The Cyber Bowl will be live from October 3 – 14. It’s set up like a football game with four quarters. Each “quarter” contains one question related to social engineering. So…how do the Gators win?

The university who can get the most students, faculty, and staff game players wins. To register your entry in the game, all that’s needed is a valid UFL.EDU email address. The Florida State community is answering the same questions that UF is. And just for playing the Cyber Bowl, you could win a pair of tickets to the Florida-Florida State game on November 25! UFIT will randomly select one student and one faculty/staff member from all game entries to win the tickets. You don’t have to answer the questions correctly for a chance to win. Just complete the entry screen after the questions. And hey, learning more about social engineering is a “win” for you and for your university.

To play, visit https://cyberbowl.security.ufl.edu/ anytime between October 3 – 14, answer the questions, and help us beat the ‘Noles! That’s always a good thing, whether we’re playing FSU in a virtual location or a physical one. Thanks for participating in the Cyber Bowl and…GO GATORS!

Cybercrime Spikes at Start of Semester

Posted on September 5, 2022October 2, 2022

Phishing emails, with malware and dangerous links embedded in them, increase at the start of each semester. Why? Cybercriminals know that new faculty, students, and staff do not yet understand what to expect from UF emails, and whether asking for GatorLink password information in an email is standard conduct. (It isn’t.)

In addition to phishing, social engineering includes deceitful activities like spear phishing, smishing, tailgating, and doxxing. Make time to review the Information Security Office’s
social engineering webpage and become familiar with techniques that cybercriminals use. To help the UF community better understand phishing, Dr. Amanda Phalin, Faculty Senate chair and senior lecturer in Warrington’s Management Department, recorded this video, which explains what it is and how it works.

In the past 12 months, UFIT’s security detection systems have caught 98.5% of phishing messages sent from outside the university. Still, some phishing emails do get through. That’s why being vigilant about what you click on is so important. The phish alert report button in GatorMail lets you report suspicious messages. If you receive an email you suspect is a phish, highlight the email and click on the phish alert report button. This action sends the potentially malicious email directly to the Information Security Office so staff can investigate. Emails from outside UF are marked with the [External Email] banner. Apply extra caution when you see this banner, especially if they purport to be from someone at UF.

Have a great semester and GO GATORS!