Work Safely with Restricted Data

Restricted data refers to data collected, maintained, or managed by the university or through any university activities that are restricted by special protections from federal or state laws, regulatory mandates, or contractual obligations. Improperly working with, storing of, or transmitting restricted data could result in the revocation of research certifications, university business partnerships, and federal and state grants. In addition to the legal liabilities and financial obligations placed on individual employees and the university, a breach or misuse of restricted data would negatively impact UF’s reputation.

Types of restricted data are listed here. They include, but are not limited to, student records (FERPA), protected health information (HIPAA), Social Security numbers and credit card information, and export controlled data (ITAR).

All faculty and staff are required to annually complete the Information Security Awareness training, which includes a section on working with restricted data. UF’s Mobile Computing and Storage Devices Policy explains security and encryption standards required for devices operating with restricted data. UFIT’s Integrated Risk Management team is available to help clarify data classifications and the technologies and tools cleared for use with restricted data. Anyone in the UF community with questions is welcome to email irm-uf@ufl.edu.

ChatGPT: Guidelines for Campus Usage

Responses provided by the ChatGPT application can save time, but beware: the data you input or ask the app to develop may be retained and provided as responses to other users. ChatGPT users have very limited control over its use of the data provided to the app, and its parent company–OpenAI–does not currently offer a process to amend or delete entries submitted. UF’s Privacy Office and the UF Information Security Office want everyone in the Gator community to understand that putting data into ChatGPT or a similar service is equivalent to disclosing the data to the public.

ChatGPT is currently being assessed for regulatory concerns related to privacy and confidentiality of data. University of Florida data classified as sensitive or restricted is not approved for use with ChatGPT. Sensitive and restricted data includes:

Social Security Numbers
Education Records
Employee Data
Credit Card Numbers
Protected Health Information
Human Subject Research Data
Unpublished Research Data
Personally Identifiable Information

An assessment of ChatGPT has been added to the university’s technology solutions website: https://irm.ufl.edu/fast-path-solutions/items/chatgpt.html. Remember that all faculty, staff, and students share the responsibility of keeping UF information secure. Visit the Office of Privacy website for additional information on using ChatGPT.

Prohibited Technologies Announced by Board of Governors

The University of Florida has complied with the State University System (SUS) Board of Governors Emergency Regulation 3.0075 – Security of Data and Related Information Technology Resources, adopted on March 29, 2023. Regulation 3.0075 requires SUS institutions to remove technologies listed on its Prohibited Technologies List from any university-owned device. Additionally, these technologies must be blocked from the university’s network.

Effective immediately, the installation or use of Tencent QQ, TikTok, WeChat, VKontakte, and Kaspersky on any university-owned device, network, or to conduct any university business including marketing and advertising, is prohibited. Faculty and staff that have any prohibited technologies installed on a university-owned mobile device or computer are required to remove them and cease their use. The prohibited technologies are also now blocked from use on any UF Wi-Fi network.

UF strongly recommends discontinuing use of the prohibited technologies and removing the apps from personal devices as well. Taking this action will help protect personal information as well as university data. University information security staff continuously evaluate technology vendors, software products, and services. UF maintains a list of approved technologies on its Fast Path Solutions website. High-risk software and services that present an unacceptable level of cybersecurity risk are listed as ‘not permitted for use’. More information on the university’s response to SUS Emergency Regulation 3.0075 can be found on UFIT’s https://security.ufl.edu/resources/prohibited-technologies/ webpage.

Avoid Public Wi-Fi

Traveling this summer? Avoid public
Wi-Fi networks as much as possible.

Using public Wi-Fi is easy because they don’t require a password. However, free unsecured access can allow hackers to watch every keystroke–as you log into bank accounts, GatorMail, make purchases, and access other files. In just seconds, all your personal and financial information can be stolen. According to Forbes, four in 10 people have had their information compromised while using public Wi-Fi.

Restaurants, hotels, and airports are among the most popular places people use unsecured Wi-Fi. Airports offer the perfect cybercrime environment. As people use public, unsecured Wi-Fi to read their emails or check the weather at their destination, someone might be tracking every click. How? One way is that hackers create free public Wi-Fi access networks with names that sound like the official airport Wi-Fi network. For instance, which would you log into: ‘CLT Free WiFi’ or ‘Charlotte Airport WiFi’? If you selected the wrong one from the list of available networks that pop up on your phone, then with just one click you are gifting all your personal information to a hacker. We are all addicted to connecting with friends, work, and family. But remember, you should only use encrypted or password-secured networks. Also, use UF’s VPN connection, so what you do send and receive is encrypted.

Visit https://news.it.ufl.edu/security/safe-travel-is-smart-travel-cyber-vigilance/ for more tips on information security and travelling safely.

Falling for a Phish Can Lead to an MFA Bombing Attack

Phishing attacks are frequently carried out through emails or texts that appear to come from a reputable source. Cybercriminals are skilled at using deceitful tactics to trick users into revealing personal information such as logins or credit card information. Common phishing tactics include:

Unsolicited work opportunities that lead to requests for bank routing information, or ask the new “employee” to purchase supplies, with the promise of reimbursement
Messages warning of an imminent deactivation of your accounts, such as bank accounts, social media accounts, or subscription services
Emails allegedly from the IRS, FBI, or other federal agency threatening legal action, and directing you to imposter websites requiring you to enter personally identifying information
Urgent requests from fake email accounts impersonating a high-level person in your organization, asking you to purchase gift cards or submit your credit card information.

Pay close attention to any email asking for GatorLink login credentials. Unauthorized access to your GatorLink account can expose your personal or academic information. Once a GatorLink login is compromised, the attacker may repeatedly spam Duo Push requests to your device — otherwise known as “MFA Bombing” — hoping you will accept just to make the requests stop. Approving an unexpected Duo request gives the criminal access to your account. Visit the MFA bombing webpage to learn more about this form of cyberattack.

MFA Bombing On the Rise at UF

MFA bombing attacks are increasing at UF. MFA bombing is a tactic used to circumvent your UF account’s multi-factor authentication measures. During an MFA bombing, the attacker uses your stolen username and password to repeatedly send ‘Duo Push’ notifications and/or phone call requests, hoping after multiple notifications you will give up and approve the Duo request. Approval will give the attacker access to your GatorLink account. If an attacker can MFA bomb you with repeated Duo requests, it means your GatorLink password is compromised and the attacker is trying to sign in using the stolen password.

To stop the onslaught of Duo attempts, you’ll need to reset your GatorLink password. Visit the GatorLink Account Management portal, select “Forgot/Reset Your Password,” and follow the prompts after selecting “Self-Service Reset.” You will be asked to provide your UFID, Gatorlink username, and additional information used to verify your identify.

It is important to use “Forgot/Reset Your Password,” and not “Change Your Password,” because the latter requires you to sign in–and you may accidentally approve the attacker’s Duo Push instead of your own requested notification!

The Duo requests should stop soon after resetting your password. (It may take a few moments for the attacker to get kicked out.) For more information on MFA bombing, visit UF’s Information Security website’s MFA bombing page.

Avoiding Scammers This Holiday Season

We are ordering more online nowadays. Broader selection, convenience of shopping from the couch, and increasingly no-charge shipping and returns makes online shopping more attractive than going to an uninspiring mall. Know who else finds online shopping very attractive? Scammers.

Scammers can get a lot of information by following the breadcrumb trails we leave when searching online. (Another reason to clear cache and cookies.) This allows them to create very realistic ways to scam you, including:

Order Confirmation Scams. These are unexpected calls, texts, or emails that often refer to an unauthorized purchase and ask you to act urgently to confirm or cancel the purchase. Scammers try to convince you to confirm payment method (such as providing your credit card number) or your bank account number, or to install malicious software onto your computer/device.

Tech Support Scams. Scammers create fake websites and then text you the URL, claiming to provide tech support for your recently purchased devices. Customers who visit these pages can fall for schemes like paying for a support contract, getting a device repaired, or purchasing of accessories that will never arrive.

UFIT has additional information online to help you identify online scams. Keep your personally identifying information and your money safe, Gators!

Clear Your Search Histories

Did you know your online activity — including the sites you visit, places you view on Google Maps, videos you watch, and more — is tracked and stored? Companies, both legitimate and malicious, use cookies to learn what you do online. How?  Companies keep records of your online activity by using a Third-Party cookie, which links the activity from your browser back to the profile they have of you. From there, your information could become compromised and shared with groups interested in stealing your personal information or compromising your university.

Regularly clearing your cookies can help limit this surveillance because doing so breaks the link that companies rely on to identify you. Clearing cookies is easy! If you use Google Chrome, first open your browser, then → Open the “Options” menu located near the top right corner of the window → Select “More Tools” → Select “Clear Browsing Data” → To delete everything select “All Time” → and then “Clear Data.” That’s it!  The steps can vary slightly depending on the device and browser used, so visit this page for information on how to clear cookies in your preferred browser.

Learn more ways to keep your personal data private by visiting UF’s Information Security Office website.

Cyber Bowl 2022: Beat FSU!

For Cyber Security Awareness Month, Florida State University’s Information Technology Services (FSU-ITS) challenged UF to a Cyber Bowl, an online game played on the virtual playing field. The Cyber Bowl will be live from October 3 – 14. It’s set up like a football game with four quarters. Each “quarter” contains one question related to social engineering. So…how do the Gators win?

The university who can get the most students, faculty, and staff game players wins. To register your entry in the game, all that’s needed is a valid UFL.EDU email address. The Florida State community is answering the same questions that UF is. And just for playing the Cyber Bowl, you could win a pair of tickets to the Florida-Florida State game on November 25! UFIT will randomly select one student and one faculty/staff member from all game entries to win the tickets. You don’t have to answer the questions correctly for a chance to win. Just complete the entry screen after the questions. And hey, learning more about social engineering is a “win” for you and for your university.

To play, visit https://cyberbowl.security.ufl.edu/ anytime between October 3 – 14, answer the questions, and help us beat the ‘Noles! That’s always a good thing, whether we’re playing FSU in a virtual location or a physical one. Thanks for participating in the Cyber Bowl and…GO GATORS!

Cybercrime Spikes at Start of Semester

Phishing emails, with malware and dangerous links embedded in them, increase at the start of each semester. Why? Cybercriminals know that new faculty, students, and staff do not yet understand what to expect from UF emails, and whether asking for GatorLink password information in an email is standard conduct. (It isn’t.)

In addition to phishing, social engineering includes deceitful activities like spear phishing, smishing, tailgating, and doxxing. Make time to review the Information Security Office’s
social engineering webpage and become familiar with techniques that cybercriminals use. To help the UF community better understand phishing, Dr. Amanda Phalin, Faculty Senate chair and senior lecturer in Warrington’s Management Department, recorded this video, which explains what it is and how it works.

In the past 12 months, UFIT’s security detection systems have caught 98.5% of phishing messages sent from outside the university. Still, some phishing emails do get through. That’s why being vigilant about what you click on is so important. The phish alert report button in GatorMail lets you report suspicious messages. If you receive an email you suspect is a phish, highlight the email and click on the phish alert report button. This action sends the potentially malicious email directly to the Information Security Office so staff can investigate. Emails from outside UF are marked with the [External Email] banner. Apply extra caution when you see this banner, especially if they purport to be from someone at UF.

Have a great semester and GO GATORS!