UMBC logo

July 3, 2012

DoIT News Moving to myUMBC Groups

As of today, the DoIT News will be published through the DoIT Group on myUMBC, which in turn feeds the new DoIT site at doit.umbc.edu. As such, we will no longer be maintaining this Movable Type blog. However, it will remain for archive purposes.

FYI to DoIT Group members:

How do I post a new blog in myUMBC groups?

If you have questions, please contact the Technology Support Center (TSC) located on the first floor of the library next to the RLC or call 410.455.3838.

Posted by fritz at 9:19 AM | TrackBack

September 12, 2011

Phishing Attacks: How to Spot Fake Emails

Phishing emails often pretend to be from your bank, credit card company, eBay or PayPal. However, you also get legitimate messages from these companies, so how do you tell the real ones from the fakes? Real emails often contain your name and may start “Dear John Smith”, but phishers don’t know you, so fakes have something general like “Dear customer”. If an email isn’t addressed specifically to you, you should suspect it is a fake.

Many phishing emails talk about technical problems that require you to click a link and enter your account details. Banks, eBay, PayPal, and so on, never lose your details and they don’t need to ask you for them. The links in phishing emails point to fake websites with wrong addresses, so check the status bar when the mouse hovers over a link or the URL in Internet Explorer’s address bar if you do actually find yourself on a phishing site. It is best not to click links in emails because fake addresses can be disguised.

Phishers’ response to advice not to click links in emails is to provide a bogus telephone number and ask people to ring the bank instead. An automated response asks you for your account details, which they then use to relieve you of your cash. Another common attribute of phishing scams is poor English – if an email is badly
written it is probably a fake.

The best way to avoid being caught out by phishing scams is never to click links in emails relating to sites that might hold sensitive information about you, such as credit card details. If you get a message supposedly from your bank, eBay or PayPal about a problem, just start Internet Explorer and type the usual address into your web browser. Log on and you will soon see if there really is a problem or not.

If you are in doubt about an email’s legitimacy or think you have inadvertently given away your personal details, contact your bank or the company immediately via contacts on their official websites.

Posted by anna at 5:15 PM | TrackBack

February 14, 2011

UPDATE:Microsoft Blocking UMBC Mail

UPDATE Feb 15, 2011: Microsoft has lifted their block on mail originating from UMBC.

---------------------------------------------------------------------------------------------

Over the weekend a departmental desktop machine was compromised and it subsequently sent over 500,000 spam messages in less than 24 hours. The end result is that all Microsoft mail (e.g. Hotmail, Live.com, MSN) is blocking mail originating from UMBC mail servers.

The single caveat is that anyone who moved their mail to Google@UMBC remain unaffected by the block imposed by Microsoft. Anyone still on the existing UMBC (Cyrus) mail will be impacted by this block.

Unfortunately, Microsfot is extremely aggressive in blocking anyone they view as a spam source. To complicate matters further they won't work directly with UMBC in resolving issues. The end result is that most of the time legitimate mail sent to Hotmail users from UMBC is simply blocked. This has created a number of issues for various offices on campus that need to communicate with existing and prospective students.

We entered requests to have this block removed using Microsoft's automated interface. The site currently states that the block with be lifted in approximately 48 hours.

Posted by mikec at 3:18 PM | TrackBack

February 5, 2010

Security Update: Why UMBC's Login Screen Has Changed

During the past two weeks UMBC account holders have been the targets of Phishing attacks. Phishing is where a criminal entity or hacker attempts to acquire sensitive information such as usernames, passwords or personal financial information by masquerading as a trustworthy entity. In UMBC's case they have been pretending to be representatives of DoIT or other trusted groups within UMBC. Their fake e-mails provide a seemingly legitimate and innocent request to Login to myUMBC.

Unfortunately, the link they provide in the e-mail takes you to a page that looks just like UMBC's login pages when in fact it is a bogus web page that collects your username and password. To help educate the campus we have created a new pop-up during the login encouraging users to always check the Web Address in your browser to make sure it originates from UMBC.

Here is a sample of the new security tip pop-up:

Screen%20shot%202010-02-04%20at%203.13.15%20PM.png

The hackers then login with the compromised user name and password to send millions of spam messages all over the world. The end result is that UMBC's mail servers are blocked by various mail providers (e.g. hotmail, Gmail etc.) because UMBC looks like a spam source. This creates numerous problems for staff and limited resources at UMBC.

A Few Reminders From DoIT:

* NEVER Provide Your User Name and Password to Anyone
* NEVER Click on a Link You Are Not Expecting or Are Unsure Of
* NEVER Download or Open a File You Are Not Expecting or Unsure Of
* NEVER Install Software That You Are Not 100% Sure Of


A Few Helpful Hints:

* Phishing E-mails Often State Some Urgent Need for Your Information
- e.g. Recent system upgrade, security changes to systems etc.
- If UMBC has a truly urgent need we will also provide a UMBC web page that originates from UMBC
- We Will Never Urgently require you to login or provide your username and password

* Carefully Examine the URL or Web Address in the Browser
- Make sure that the umbc.edu domain is in the beginning

* If In Doubt DO NOT RESPOND, contact DoIT to report your concerns

Posted by mikec at 11:40 AM | TrackBack

January 23, 2010

URGENT: Fake myUMBC Login Pages

To the campus:

The Division of Information Technology (DoIT) has seen an increase in attacks this weekend focused on getting people to provide their user name and password. These attacks, called phishing, are becoming tailored to look exactly like an official UMBC message and Login page. The goal of these attackers is to get people to provide their password and other sensitive information.

The e-mails received this weekend provide a link within the mail message to a web page that looks identical to UMBC’s real WebAuth login page. The giveaway that these are FAKE is the URL goes to a non-UMBC web page. See example of a bogus e-mail below.

If ever in doubt simply do not respond or submit information.

How Can I Tell if the Login Page is Fake?
The best way to tell is if the URL of the web page does not have the “umbc.edu” domain at the beginning of the URL.

Sample CORRECT URL: www.umbc.edu/helpdesk (Notice the correct “umbc.edu” at the beginning of the URL)

Sample FAKE URL: http://www.flushandfloose.nl/webshop/images/ru/webadmin.umbc.edu/ (Notice the FAKE “flushandfloose.nl” at the beginning of the URL)

What Should I Do If I Already Logged Into The Fake WebAuth Page?

You should immediately change your password by going to: myUMBC > Personal >Online Info > Change my Password or my going directly to https://webadmin.umbc.edu/admin/User/Maint/Password


Example of FAKE E-mails Being Sent to UMBC Account Holders

-----------------------------
Dear User,

A scheduled maintenance has just been completed on our e-mail system. In
order to keep this account active and protected, you will be required to
immediately re-login. Kindly click on the "Login to My Account" link
stated below:

Login to My Account

We apologize for any inconveniences caused.

Security Department,

E-mail Services.
-----------------------------------------------

Posted by mikec at 9:40 PM | TrackBack

October 26, 2009

Re-Register for E2Campus By Oct 31

A recent change to the authentication system for E2Campus means that all members of the UMBC community need to re-register for emergency campus text messages. If you registered your phone prior to August 26, 2009 you MUST login through myUMBC under your personal profile and notifications or directly at:

https://my.umbc.edu/go/alerts/

Users who have not re-registered by October 31, 2009 will no longer receive UMBC alerts.

FAQs
I already registered for E2Campus, can I migrate my old account?
Unfortunately, existing accounts cannot be migrated. All existing users will need to re-register with E2Campus. Since we now know who the person is relative to UMBC's identity management system we will not need to do future re-registrations.

How long before my existing E2Campus account is deleted?
Existing E2Campus accounts will remain functional through October 31, 2009. UMBC will purge the old accounts after this date, thus leaving the new accounts in place.

If I re-register now will I get two text messages sent to my phone?
Users that have re-registered but still have an old account (i.e. until Oct 31st) will not receive duplicate text messages. E2campus can tell if the same phone number is in their system for more than one account, and will only send one message to that phone number. After October 31, 2009, old UMBC accounts that have the same phone number as new accounts will be deleted.

Why is UMBC changing the system?
Background:
E2Campus was initially setup to use external, non-UMBC accounts. This meant that users had to create a user name and password that was hosted at E2Campus. This presented a few challenges for UMBC.
-There was no way to know a user’s affiliation (Faculty, Staff or Student)
-We can't tell if a user is still affiliated with the university (e.g. graduated, quit, terminated etc.)
-Users forgot both user name and password but UMBC DoIT Help Desk could not assist.

Solution:
DoIT worked with E2Campus to be the first campus nationally to use the Shibboleth authentication standard to provide single sign on (SSO) ability. This means that users will no longer need to create an external account with E2campus. Instead UMBC is the identity provider and passes this information to E2Campus.

Benefits of New Authentication System:
- We know who the person is and their affiliation (e.g. student, staff, faculty, grad student etc.)
- We know the person’s status (graduated, quit etc.)
- There is no password to remember since the login is done via SSO from myUMBC.
- We can purge/delete old accounts of people who have left the University

Posted by mikec at 10:19 AM | TrackBack

September 30, 2009

DoIT Staff Will Never Ask to Send Your Username and Password by E-mail

DoIT would never ask you to send details of your username and password through email or any other means.

Occasionally DoIT detect emails sent to staff and students asking them to confirm their username and password. These emails are always fraudulent: the practice is known as "phishing". Despite their appearance, a closer look at the emails will show that they will not have been sent by DoIT but by someone fraudulently posing as DoIT. DoIT would never ask you for your password, for any purpose. Remember, your password is your secret. DoIT do not keep records of passwords.

The University's Regulations forbid you from sharing your password with anyone, including DoIT staff. DoIT will not ask you for your password over the phone, by email, or by any other means.

If you ever receive a request for your username and password details via email, NEVER RESPOND to it. Instead, just delete the email.

Unfortunately, a few individuals have responded to phishing attempts, and in one case the account details were used in an attempt to perpetrate financial fraud.Please protect yourself:

1. If you think you may have responded to a phishing email, change your password immediately using myUMBC.
2. Never disclose your password to anyone.
3. Avoid using the same password on different systems (external to the University).

In particular, be very careful with your University password, and with passwords that you use for financial systems, and for email systems.

Posted by anna at 8:30 AM | TrackBack

July 8, 2009

Create Your Account Security Questions

DoIT has created a new process that will allow account holders to reset their own passwords. There are three security questions that need to be completed and a few other pieces of information such as an alternate (non-umbc) e-mail address. You can also include your cell phone number. This number will allow the University to send you an SMS (text) message when your password has been reset using the self-service password reset process. This is an added security feature to ensure that you actually authorized your password to be reset.

Create your security questions by visiting http://webadmin.umbc.edu
Go to:
- User Tab
- Account Settings
- Manage My Security Questions and Settings

In addition to the basic information the "Level of Trust" asserted to you will be listed as Bronze (Level 1), Silver(Level 2) or Gold (Level 3). The level of trust, also known as the level of assurance, is a relatively new indicator that is being used by the Federal Government to ensure that people accessing their systems have undergone a certain degree of identity proofing. Essentially the higher your level of trust the more the system must interrogate who you are. A simple example is that Bronze (Level 1) users can user the online automated password reset while the Silver (Level 2) and Gold (Level 3) users must interact with a human to have their password reset.

The majority of UMBC's account holders are Bronze (Level 1) while anyone having a Peoplesoft Finance account are considered Silver (Level 2). For more about levels of assurance please visit the NIST website.

Posted by mikec at 1:54 PM | TrackBack

February 20, 2009

Important Security Alert For Adobe Reader and Acrobat

Security vulnerability Identified in Adobe Reader and Adobe Acrobat version 9 and earlier.

Adobe announced a security vulnerability on February 19th for Adobe Reader and Adobe Acrobat version 9.0 and earlier. Because of the wide-spread use of Adobe Reader and Acrobat we wanted to let campus IT staff know of this issue.

The security alert states that all platforms are vulnerable. The attack occurs a malicious PDF is opened. This seems to be a result of a buffer overflow in the javascript engine. Disabling Javascript inside Adobe is an effective precaution. A patch is expected by March 11. The best thing you can do till then is be careful in opening PDF files. Mac users should use Preview in lieu of Adobe Reader. Adobe is working with anti-virus vendors on developing a signature to help mitigate this and DoIT will deploy this as soon as it becomes available.

http://www.adobe.com/support/security/advisories/apsa09-01.html

Once Adobe releases a patch we will let you know and encourage updates. If we notice this becoming an active vector on campus we will let you know as well and work to communicate this on campus.


Posted by jack at 11:42 PM | Comments (1) | TrackBack

August 18, 2008

Danger! Do Not Provide Your Account Information

UMBC e-mail account holders continue to receive bogus e-mail messages requesting personal account information. E-mails such as these are known as Phishing (Click HERE for more information on Phishing). These e-mails are fraudulent and have not originated from the Division of Information Technology at UMBC. DO NOT EVER reply to these or other similarly worded e-mails.

These Fraudulent E-mails typically request information such as:
Email Username :
EMAIL Password :
Address :
City :

The Office of Information Technology Will NEVER:
• Request Your Username in Unsolicited E-mails
• Request Your Password
• Send You an Unsolicited Attachment
• Request Other Sensitive Information (e.g. SSN, Banking Information, Date of Birth, Address etc.)

Under No Circumstances

should you respond to unsolicited e-mails, web links or attachments. If in doubt don’t open it and contact the OIT Help Desk for assistance.

helpdesk@umbc.edu
410-455-3838

Sincerely,
Michael Carlin
Assistant VP, Infrastructure and Support
Office of Information Technology

Posted by mikec at 11:13 PM | TrackBack

September 3, 2007

Network Attack Impacts UMBC Firewall Tuesday Night

At 10:00 p.m. on Tuesday October 2, 2007, the UMBC campus was the victim of a Denial of Service (DoS) attack. The attack, coming from hundreds of hosts, generated millions of packets and resulted in the campus Firewall becoming overwhelmed and traffic from off-campus not getting through. OIT staff responded and service was restored by 10:15pm. This affected access to all segments of the UMBC network and impacted sevices such as Blackboard, Webmail, myUMBC and Peoplesoft.

While this kind of event is rare, OIT security staff are investigating this issue and we are looking at what steps may need to be taken in order to mitigate this type of event in the future. We will keep you apprised of any important updates related to this issue.

Posted by mikec at 9:28 AM | TrackBack

June 18, 2007

Important Changes to Campus Network Security

OIT will be changing the campus’ default network configuration for all campus devices, servers, and desktop machines to prevent them from being accessed from off campus. This new configuration is known as “Default Deny”.

This means that by default all machines, when connected to the UMBC network, will not be able to be reached from off campus, except by logging into the campus VPN first. The use of the campus VPN http://vpn.umbc.edu (Click Here for Installation Instructions) will bypass the firewall blocks thus allowing access to on campus machines. This will dramatically reduce the potential security risks to UMBC. The good news is that most machines on the UMBC network do not need to be open to the outside world. Therefore, the “Default Deny” configuration will in no way affect the overwhelming majority of machines on campus.

However, there are some machines, servers and network devices that may have a need to be reached from outside the UMBC campus (e.g. Web Servers, File Servers etc.). To accommodate these exceptions OIT is developing a web interface, known as “NetAdmin”, which faculty and staff can access. NetAdmin will allow a faculty or staff member to open the necessary server ports on the campus Firewall to make the machine “visible” from off campus. The NetAdmin interface can be found at http://noc.umbc.edu

Timeline:
• May 17th NetAdmin Interface Released to Faculty and Staff
• May 17th to June 25th Machines Can be Excluded from the network block by entering them into NetAdmin.
• June 26th Entire UMBC network is switched to “Default Deny” via campus Border Firewall
NOTE: The actual network blocks will not go into effect until June 26th in order to provide faculty and staff sufficient time to exclude machines from the network blocks.

FAQ:
Will the Default Deny Network Configuration Cause Any Problems on Campus?
No, this new configuration only affects the campus’ border firewall. Once the changes go into effect only machines that have been excluded via the NetAdmin interface will be visible from off campus.

Can I Open Access to Any Machine?
No. Machines that are on the Dynamic Client Static Client and Legacy DHCP Pooled networks can not be opened using the NetAdmin interface. If someone tries to open access to any of the aforementioned networks they will receive an error message saying it can’t be added and a form will be presented that will allow the user to submit a request to have that machine moved to a network that will support this. Only machines on the Departmental Server Network or the Legacy Static Address can be opened to the outside world using NetAdmin.

How Does the NetAdmin Interface Work?
Faculty and Staff will need to launch a web browser from the machine(s) that they wish to exclude from this block. Once a machine has initially been entered the user that added that particular machine will be able to manage further changes (e.g. add/remove ports) by logging into NetAdmin from any location. Just visit http://noc.umbc.edu from the machine that you want to modify your network security from.

My Network Device Does Not Have A Web Interface.
In cases where a device or machine does not have a Web browser you will not be able to open network access on your own. Instead you will need to contact the OIT help desk to request this.

Why Are You Making These Changes?
Over the past few years there has been a very liberal “Default Open” network policy for all machines on campus. Unfortunately, the reality is that most machines do not require this open access and many times the machine owners do not even realize that there machine is accessible from the outside world. With all of the security problems and data loss issues plaguing businesses it is prudent that OIT take steps to further protect and secure our data and networks. Additionally by requiring machine owners to open access to their machines via NetAdmin OIT will now have a responsible contact in the event of a security breach.

Posted by mikec at 10:54 PM | TrackBack

February 28, 2007

MS Active Directory Password Changes

Recently OIT altered how passwords are created and/or changed in response to recent state audit findings. More information about this can be found at: Click Here

We wanted to let you know how this will affect you as a Microsoft Active Directory account holder.

CHANGES
**Windows Users Can No Longer Change Password from Workstation
Windows PC users will no longer be able to change their passwords from the workstation. This option should now appear in grey for all machines that are correctly joined to Active Directory. Instead all password changes will need to be done from myUMBC.

**Passwords Will Now Be Synchronized
When a person changes their password from within myUMBC their password will not only be changed for systems such as Blackboard, E-mail, Peoplesoft, etc. but their MS AD Password will be synchronized to the same password. This means that MS AD users can no longer have a password that is different from their myUMBC login.


FAQ
**Are Laptops Affected?
Yes. In order for the password changes to take effect on a UMBC owned laptop you must be connected to the network while physically on campus for this to work. We recommend making your password change from myUMBC, restarting your Windows laptop, and logging in with the new password. Doing this allows your new password to be cached on the laptop so that you will be able to successfully log in to the laptop while outside of the UMBC network (e.g. at home, or while on travel).

**How Will Mac Users Change Their Password?
The good news is that Mac users that access Active Directory will now be able to easily change their password via myUMBC. Mac users will utilize the same password system as all other MS AD users on campus.

**How Do I Change My Password?
Please visit http://my.umbc.edu and Login
Go to the “Personal” Tab > “Account Info” > “Change My Password

NOTE:
Changing your password here will not only change your Active Directory password but it will also change it for systems such as:

-Peoplesoft
-Blackboard
-E-mail
-MyUMBC
-Oracle Calendar
-VPN

**What Should I Do If I Have a Problem?
While every effort has been made to test this system, problems do occur occasionally. If you have problems please contact our OIT help desk at helpdesk@umbc.edu or 410-455-3838

Posted by mikec at 10:18 AM

February 26, 2007

Mandatory Password Changes for Administrative Users

Due to a recent state audit finding all UMBC Administrative users (e.g. PS Portal, PS HR, PS Finance, Developers, HP, MyUMBC, MAP, etc.) are required to create to a more secure password by the end of March 2007. OIT has developed a more stringent password construction policy in order to comply with state auditors (see below for password construction rules).

The new password construction rules for all MyUMBC accounts are now in effect. These password rules are enforced for changes made through the MyUMBC web interface, and through Kerberos' password change protocol.

**Why are we changing passwords?
This is in response to the state audit finding that UMBC's password authentication practices did not meet the requirements of the State of MD IT Security Policy. In order to provide greater security a more complex password is required. We are basing our password standards on the NIST Special Publication 800-63, Electronic Authentication Guideline

**How do I Change my Password?
Please visit http://my.umbc.edu and Login
Go to the “Personal” Tab > “Account Info” > “Change My Password"

**What Systems Will be Affected by this Password Change?
- myUMBC Account
- PeopleSoft Accounts
- E-mail Account (Including Webmail)
- Oracle Calendar Accounts
- VPN Account
- Microsoft Active Directory Accounts
- Blackboard Accounts
NOTE: MS Active Directory users will need to logout of their workstation and then log back in, while connected to the campus network, for this change to take effect. Microsoft AD accounts will then be synchronized with your myUMBC account password.

**Will Non-Administrative Users Be Affected?
Yes. The new password construction rules are enforced for all UMBC account holders. If a person changes their password they will be required to create a password using the same rules and requirements that are listed below. The only difference is that Non-Administrative users will have until the latter part of this year to change their password.

**Password Construction Rules
* Must be at least 8 characters in length

* May only contain printable characters (alphanumeric and symbols -- no spaces or "control" characters)

* Must include at least one upper case, lower case, and one non-alphabetic character

* Must not contain three or more recurring characters. (such as 'sss')

* Must not contain three or more characters in the order that they appear on standard keyboards.

* Passwords must not be primarily constructed of words appearing in our password dictionary.

* Passwords must not contain personally identifiable information that is known to UMBC. This includes such elements as the individual's username, CampusID, Social Security Number, Date of Birth, or elements of other directory information such as address, office number, etc.

* Passwords must be different than the last three passwords used, or have been used within the past year.
This construction rules are derived from NIST Special Publication 800-63, Electronic Authentication Guideline

Posted by mikec at 5:38 PM

November 16, 2006

Important Information Security Alert to the UMBC Campus

Monday, OIT Helpdesk received notification from a student in CSEE and from campus users that an error occurred when accessing the campus web site. OIT staff were able to put some mitigations in place and determine how this attack was done. The nature of this attack indicates hackers targeted the UMBC user community. The attackers used a undocumented vulnerability to insert a small image into the main web site. When the page was accessed this image would redirect the user to a site in the Ukraine. If you were using Windows and the Internet Explorer browser, version IE 6 or IE 7, the attackers would use an unpatched vulnerability in IE to compromise your system (on Tuesday 11/14 Microsoft released a critical patch for IE that blocks this attack).

We have reviewed logs and know that only a small number of machines on campus were potentially impacted. We will be working with the departmental IT liaisons and those directly impacted unless we discover additional information that warrants a notice to the campus.

Nationally, attacks such as these, called Malware, have been on the rise. Foreign criminal groups are focusing on attacking Windows systems and creating a large number of systems they can control, often called botnets. These systems are used primarily as vectors to send out Spam but once on your system they could target other information. National statistics recently released by Microsoft, indicate that 50% of machines reviewed by Microsoft have some form of Malware installed on them. Most members of the campus community have home computers. We urge everyone to review their home computer configuration. OIT has created a website that explains seven steps you can take to help secure your computer.

http://www.umbc.edu/oit/sans/security/awareness/steps.html

Follow our easy to use steps by clicking on the numbers to receive how-to instructions.

For on-campus users, while OIT has a number of network protections in place it is critical for those that are not part of OIT’s active directory setup, sometimes referred to as AD, to follow these same seven security steps we recommend for home users. We also want to reiterate that for campus users it is critical that all institutionally owned computers running Microsoft Windows, run Windows XP release SP2 and the Mcafee virus protection software we distribute. If you have a computer that is not running these it should be considered unsecure and no sensitive information should be stored or activity should take place on that machine.

Posted by mikec at 11:15 AM

June 16, 2006

International Students Privacy Security Incident

This update describes the recent personal information security update sent to selected international students.

Frequently Asked Questions


Q: Who was impacted?

A: Selected students of international origin attending UMBC from Fall 2003 to present. Of that group, 150 students information was accessible through Google.

Q: How do I know if I was one of the impacted international students?

A: OIT sent an email and letter to each person who was affected, but if you have any questions or concerns, contact the OIT Help Desk at 410.455.3838 or privacy-alert@umbc.edu.

Q: What does "personal information" mean?

A: The personal information included name, address, date of birth, email, and Social Security Number. This information is no longer viewable, and we have no evidence (beyond an initial alert) that anyone ever did so.

Q: What should I do?

A: If you received an OIT email alert or notification, you should check your credit report. Instructions for doing this are available on the OIT Identity Protection Web site


This is the text of the email and letter sent to UMBC faculty, staff and graduate students who were NOT affected:

On Saturday, June 3, 2006, we received an email from a UMBC student who had done a Google search to find more information about an instructor for a summer school class. He found personal information for 150 UMBC people, including the instructor who is a graduate student of international origin.

The personal information was name, address, date of birth, email, and Social Security Number. This information is no longer viewable, and we have no evidence (beyond an initial alert) that anyone ever did so.

In November, 2003, an Office of Information Technology (OIT) Web site generated this information to support visa compliance of UMBC’s international students. However, a programming error resulted in files not being deleted from UMBC’s Web site after they were used. As a result, the files containing the personal information were potentially viewable by the general public. In December 2005, the visa compliance initiative was revised, and the Web site containing the files was taken down in January 2006. After this, the files were only visible in Google’s search engine until June 5, 2006, two days after we started working with Google to have them removed. In addition, OIT staff members have reviewed a list of other web search engines (e.g., MSN, AltaVista, Yahoo) to make certain those search engines did not have this information.

At this point, we have taken three steps. First, we have sent a security alert letter to 145 international students to report their personal information was potentially viewable through a Google search of each person’s name. An alert means their data was confirmed to be “out of our control” in that it was indexed by Google, and stored as part of its regular indexing process.

Second, we have sent a security notification to 1,599 additional international students to say their personal information was stored in one of many other data files found on that original Web server. We have confirmed with Google that it never indexed these other files. We have also reviewed our Web access logs back to January 1, 2006, and found no attempts to view this information, though our logs do not go back to November 2003 when the Web site was created.

To be proactive, we want to notify these 1,599 students but not alarm them. We have no evidence their information was ever accessed, and the risk that it was is exceptionally low (less than using your credit card to pay for a meal at a restaurant).

Finally, OIT is sending this email update to you and posting it as a campus Web update as part of our ongoing privacy protection efforts. If you work with international students in your department, lab, or course please ask if they were impacted and have any questions. OIT is working closely with International Education Services, the Graduate School, the Graduate Student Association, and Academic Services to provide support. We have developed an Identity Protection Web site and established a phone line, and special email address to provide help with this incident. Taking steps to protect our identity is something we all should regularly do and I strongly recommend that all members of our community review the OIT identity protection web site.

Please be aware that scam artists "phish" for victims by pretending to be banks, stores or government agencies, especially after an incident like this. They do this over the phone, in e-mails and in the regular mail. Never give out your personal information, unless you initiated the contact. UMBC will only contact you about this incident if additional helpful information becomes available. We will not ask for your full SSN, account ID, or credit card information.

I want to assure you OIT is committed to protecting the identity of UMBC students, faculty and staff. On June 7, we completed an upgrade of our campus ID card that removed our reliance upon SSN. On the weekend of June 16, 2006, UMBC will be completing a year-long effort to convert the primary ID of our current student information system away from SSN to a new campus-defined ID number. These efforts are critically important because they reduce our reliance upon SSNs and limit the data that may be potentially at risk when mistakes occur. In addition, I have ordered OIT technical staff to review all web-based applications we have developed and establish stronger procedures for programming review and testing to reduce the risk of these kinds of programming errors in the future.

Let me thank you in advance for your support of those international students impacted by this incident. Please don’t hesitate to contact me if you have questions or concerns.

Sincerely,
Jack Suess
Vice President, Information Technology


Resources:
Privacy Protection Web Site
Phone: on-campus 5-3838, local 410-455-3838, toll-free 1-866-455-8622
Email: privacy-alert@umbc.edu

Posted by anna at 10:08 AM

June 6, 2006

UMBC Campus Card Migration Begins June 7th

This is a reminder to all members of our campus community, that as of tomorrow Wednesday June 7, 2006 the UMBC Campus Card will be under the protective umbrella of the UMBC Identity Management System (IdMS). This important step is toward preventing identity theft and will require the use of the New Campus Card.

For those who do not have the New Campus Card, please contact the Card office at X2-2273 (C-CARD), to make arrangements to get one.

A special note to those using the Card for Access Control: Hold on to the "Old Card" until you have verified that the New Card will grant you access to the appropriate areas. It is possible that the Access Control database may require additional time to convert, and the "Old Card" will be kept in service should the need arise.

All are reminded that the "Old Card" does contain your SSN on the magnetic stripe and we encourage the destruction of the "Old Card", after you have verified full functionality of the "New Card".

All should feel free to drop off the "Old Card" at the Campus Card window in the University Center if you wish for us to properly dispose of it.

Door Access questions should be directed to X5-3970 and X5-1222, or email to campussecurity@umbc.edu

Posted by mikec at 11:17 PM