Recent password breach in the news (and general password advice)

Hello all, We’ve had several people contacting us about the recent news stories about Russian hackers who have allegedly obtained over a billion passwords. For more information on the story, see the NY Times article at: That being said, the question is – what should an individual do about it? Though it has not yet been disclosed what systems and services have been breached, you can get ahead of this issue in a couple steps:

  • Change your passwords regularly (at least yearly) – especially on any site that would give a criminal access to financial resources (banks, credit cards, PayPal, etc.) or other personal information (your email accounts, social media accounts like Facebook, Twitter, and Instagram, etc.).
  • Don’t reuse passwords. Its very tempting to use the same passwords or a small handful of passwords online, especially as we continue to have more and more of a presence online. Unfortunately, it leads to a lot of security issues. If you use the same password on 5, 10, 20, or more sites, one of those sites getting compromised can lead to the rest of your accounts being at risk.
  • Make sure the password for your email accounts are very strong. With access to your email account(s) someone can just request password reset emails on most/all of the other sites you use.

What are some ways you can make managing passwords easier?

  • Consider using a password manager application such as KeePass (which stores the password database on your computer) or LastPass (which stores your passwords encrypted on their servers). These password managers can let you generate random complex passwords per site, or just save passwords that you come up with manually.  Note: Computer Services and SUNY New Paltz does not endorse or support any specific password manager application.
  • Don’t just use simple 8 character passwords. Consider using passphrases. The phrase should be something you can easily remember and associate with the site.
    • For example, I could have a passphrase for Amazon (which I still associate with books) of: Buy Stephen King Books 1974 (where I list an author I like and the year one of his books I like came out).
    • Similarly I could have a password for my bank where I choose a password of: I’d prefer lots more $$ here. (which incorporates special characters as well)
  • Come up with a password system which will let you use a different password for each site in an easy to remember way.
    • Think of a book, movie, or song, that you can associate with the site. For example, lets say for some reason I associated the 1978 movie “Animal House”, with John Belushi with New Paltz. I could then come up with a quick 8 character password of: ah1978JB (first letters of each word in the movie title, the year it came out, then capitalized initials of the movies’ star). For extra security, throw a special character after or before the year such as ah&1978JB.
    • Create a “word image” for each site. Since New Paltz has two words, starting with an “N” and a “P”, I can come up with the word image of Noisy Pigs and make that, combined with some numbers/characters, my password: Noisy#30Pigs.  Visualizing an image makes a password easier to remember.
  • As a last resort, consider keeping (in a locked drawer or other locked location) a list of usernames and passwords.


Why you should say goodbye to Windows XP

It’s a hard thing to say goodbye to a trusted piece of equipment that has always been a reliable workhorse; your first car, your first cell phone, and, as of April 8th, Windows XP. While Windows XP has been a stand-by operating system for the last 13 years it is finally bidding us goodbye and will officially be retired from support this coming month. Microsoft had announced this news over a year ago but still some people are holding onto their old computers – this could turn out to be a higher price than buying a new pc! As Microsoft states, “ An unsupported version of Windows will no longer receive software updates from Windows Update. These include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software, which can steal your personal information. Windows Update also installs the latest software updates to improve the reliability of Windows—new drivers for your hardware and more. ”  Not only will you and your information be more vulnerable but your computer will not work with the newest gadgets, inventions, or even printers!

As of April 8th 2014 Microsoft will no longer be issuing security updates for Windows XP which will leave any system still running it open to a myriad of security issues. This could leave your personal and financial information more vulnerable to being compromised – something that can take years of work to set right again and hours of frustration finding out the financial havoc that has been wrought. With many alternatives out there – Windows 7, Windows 8, or perhaps the new Apple OS, OS X Mavericks – there are a few ways of solving this problem. Unfortunately, the only safe way to keep your XP computer is to keep it disconnected from the Internet and who wants to do that? The Internet is where all the cats are….

Advertisement Blocking

One common threat to computer security (both your own devices, and campus computers) is malware distributed through advertising networks.  The advertisements you see on most sites are not actually provided by that site – they are delivered through third parties such as Google, Yahoo, or a host of others.

Unfortunately the security on these ad networks has led to compromises on them, both small scale and large scale.  Most recently people who went to sites where ads were delivered by the Yahoo ad network were at risk of viruses just by viewing these sites (

Because of the prevalence of these security issues, you may want to consider using an Ad Blocking plugin with your web browser, such as Adblock Plus.  What Ad Blocking software does is, based on the URL of images and other aspects, selectively not load portions of a site.

The most common software for this is called “Adblock Plus” and it can be obtained for free from:  Using this software (or something similar) can add a level of protection that (in conjunction with Anti-Virus software) will give you an additional level of protection.

Note: SUNY New Paltz takes no position on whether advertisements should or should not be blocked.  This recommendation is purely from a security standpoint due to the cases of malware impacting ad networks.  We are unable to install or configure these applications on your computers or devices.

Credit card scams and you

Everyone has been hearing in the news about the recent credit card breaches involving Target, Neiman Marcus, and others.  Because of this, hopefully you are all checking your credit card statements (both personal, and campus procurement cards for those who have them) regularly for fraud.  Even if you haven’t shopped at a retailer that is identified as being compromised, checking regularly is important.

That being said, scammers are taking advantage of the fear over the recent breaches and trying to get your personal/financial information as a result.  There have been many reports of people getting phone calls stating that their credit or debit card is locked.

What do you do if you receive such a call?  First off, if the call doesn’t even identify what bank it is for you can safely ignore it as a scam and hang up.  If they do identify the bank, then you should still hang up, and contact your bank.  You should ONLY use the phone number either on the back of your card, or the phone number on your bank/credit statement.  Those are the only safe methods in a situation like this.  Do not ever discuss any personal/financial information when you did not initiate the phone call.


National Cyber Security Awareness Month


October is National Cyber Security Awareness Month, and this year celebrates its 10th anniversary (as well as the first time we’re highlighting it at New Paltz).  This month, we will be kicking off some new promotional material focusing on Cyber Security Awareness.  You’ll be seeing these around campus starting this week.

The campaign’s slogan is: STOP. THINK. CONNECT.  What does it mean?


STOP: Before you use the Internet (including email, social media, eCommerce sites, and campus systems and services), take time to understand the risks and learn to spot potential problems.

THINK: Take a moment to make certain the path ahead is clear.  Consider whether you are at a legitimate site, or one that is appearing to be legitimate.

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself, your computer, and (for faculty & staff) the sensitive data that you may have access to.

These aren’t just meaningless slogans.  When our faculty & staff have fallen for scams, they almost always say after the fact “I just wasn’t thinking” or something of that nature.  With how fast our lives and communications move, we start operating almost automatically and its easy to skip thinking about the situation you’re in.  Online though, you have to stay mindful of what you are doing before connecting to the site or system you are using.


Why protecting your credentials matters

So you’ve heard all our warnings and pleadings about fraudulent attempts to get your campus username & password.  You may be thinking “So what?  Its not like I have anything important on my New Paltz account, what does it matter?” or more commonly, “Why are they (the scammers) even bothering?

Well, there are lots of reasons to be concerned.  Aside from the duty all employees have to safeguard their usernames and passwords as a matter of policy, there are several types of harm that can come from your username & password being obtained by criminals (i.e. Phished).

  1. Many people on campus have access to sensitive information (in sources such as Banner, Blackboard, or their campus Email account).  Inadvertently giving your credentials out to criminals can potentially expose these sources of information.
  2. A phished account is almost always used to send fraudulent messages.  These fraudulent messages will be sent not only to random people around the world, but your own colleagues and contacts in your address book.  Future messages to these people even after your account has been cleaned up may be blocked (since past messages from your account were fraudulent).
  3. You could cause mail from SUNY New Paltz to be blocked or delayed.  When email service providers detect an inordinate amount of spam complaints about mail from a certain source (such as SUNY New Paltz), they may block or throttle all of it over time.  Getting these blocks removed takes time and mail to our students, faculty, and staff could be lost during the block.
  4. Having your New Paltz account compromised could lead to other, personal accounts (your financial accounts, your social media accounts, etc) being compromised.  If you either used the same password on your New Paltz account as other sites (which you shouldn’t) or you used your New Paltz account as the ‘recovery email’ for another site, you are leaving yourself at risk if your New Paltz account is compromised.


Phone Scams

Everyone has seen or heard about scam emails sent which try to get you to give out sensitive information (usernames, passwords, bank accounts, social security, etc.) or contain viruses.  What is becoming more common though is computer related fraud over the phone.

How to recognize fraudulent phone calls

  • The caller will state that they are from “Windows Support”, “Google Support”, or some other technology company.  They will say they are calling about your computer.
  • The calls will frequently (though not always) have international or odd (not the standard digits) caller ID numbers.
  • The calls will be unsolicited (they won’t be a follow-up to an existing support case you may have).
  • They callers will often speak in heavily accented English.

What to do if you receive such a phone call

Just hang up.  Don’t give your name or any other information to the caller and definitely do not follow any of the instructions they tell you.

If you’ve already been a victim of these calls

If you have already been contacted by these callers, and did what they asked you, then do the following:

  1. First – change ALL passwords to sensitive sites that you use, especially financial institutions, New Paltz accounts, other email accounts, and social networking.
  2. If you are a faculty or staff member and this happened on your office or other campus-owned computer, contact the Faculty/Staff Help Desk for assistance in cleaning out your computer of any malware the criminals had installed.
  3. If you are a faculty or staff member and this happened to your personal computer, seek professional assistance (via a local computer repair service) to make sure your computer is virus/malware free.
  4. If you are a student, seek assistance at the Student Help Desk.

Phishing – what, how and why

By now, most people have seen at least one phishing email.  The campus was hit with a few very widespread mailings earlier in the Fall 2012 semester.  We’re going to cover what Phishing is, why it is used by criminals, and most importantly how to recognize it when you see it.

What is Phishing?

The term is a portmanteau of phreaking and fishing.  The term is used to describe methods where a user is baited into getting hooked by a scam.  The actual bait used can be a promise of reward (click here to win!) but is more commonly a warning or threat.  This includes phrases such as “click here to validate your account within 48 hours or your email will be shutdown“, or “we’ve seen suspicious activity on your account, reply back with your username and account number to prevent your credit card from being closed”.

What is their purpose?

It depends on what kind of email you are receiving and what the immediate goal of the scammer is, but the end goal is always financial gain for the criminals involved.  There are two primary types of Phishing emails that I’m going to call primary and secondary phishing.

Primary phishing is when the criminals are looking for the information which will net them actual financial gain.  This is usually credit card numbers, bank account numbers, usernames & passwords for banks, paypal, or ecommerce sites, etc.  When users provide this information to the criminals, funds are pulled from these accounts (often within minutes).  These scams are much harder to get through spam filters, especially when sent from random free email accounts like AOL or Hotmail.

Secondary phishing is when the criminals are looking to obtain usernames & passwords for email accounts, especially at ‘trusted’ email providers like businesses or colleges.  These emails try to get you to think something will happen to your email account if you don’t comply.  They may not even try that and will just have an email with a link (and the link asks you for your username & password).  When the scammers have the usernames & passwords for accounts at trusted providers such as SUNY New Paltz, they are then free to send their fraudulent emails for financial gain (Primary Phishing) to addresses across the Internet, with more likelihood that they will be allowed through spam filters.

How to recognize phishing

  • Be cautious about clicking on links in emails, and be doubly cautious if you have clicked a link and it brought you to a page that requires you to login.
  • Don’t be fooled by names alone.  For more sophisticated phishing attacks, the criminals will take the time to study their targets.  They may put the name of someone you know in the email to make it look more trustworthy.
  • Think about what you are being asked to do.  If the sender is legitimate, do they really need what they are asking?  For example, a common tactic is for scammers to ask you to validate your account by logging in.  If you’ve received their email (and you already have to login to access your email) then what is the point of this supposed validation?
  • Phishing doesn’t just happen over email. It can be over the phone as well.  If someone calls saying they are from your Bank (especially when they don’t even mention the NAME of the bank), then you don’t verify who you are to them, they called you.  Ask them to verify who they are.  If in doubt, hang up and call the business or institution directly (through a number on your statement/card/etc.)

Preventing Spyware & Malware on your computer

If you follow a few safety guidelines, its really not difficult to protect your computer from getting infected with viruses, spyware, and other malware.  Its equal parts technical protections and common sense.

  1. Keep your software updated.  Its extremely important to have your computer’s  software up-to-date.  This especially is true for the following (which are the most common vectors for virus infection):
    1. Operating system updates (Windows Updates and any Apple updates)
    2. Updates to Adobe Flash & Adobe PDF
    3. Updates to Java (note: When Java updates, if you don’t specifically uncheck a box during the install, it will want to install an unneeded ‘toolbar’ which you don’t need.  Make sure to uncheck any unneeded extras that are offered when updating.
    4. Updates to your web browser.  Recent versions of Firefox, and all versions of Google Chrome automatically update to the latest version.  Note: Internet Explorer 9 is still not certified with Banner.  If you use Banner in your office, don’t update to Internet Explorer 9.
  2. Be cautious about what you are downloading online.  Don’t pollute your computer with toolbars, screensavers, cool mouse cursors, etc.  Don’t download games to your work computer.
  3. When downloading something, ask yourself if you need it (and if you’re at work, ask yourself if its appropriate for your work computer).
  4. Don’t believe warnings about viruses on your computer unless they come from the Anti Virus that you actually have on your computer.  A common tactic of criminals is to have fraudulent warnings about viruses (either as ads or pop-up ads) on websites.  Legitimate anti-virus messages will come from Symantec for campus computers and will come from whatever anti-virus you have installed on your home computer.

For extra protection, consider using Mozilla Firefox or Google Chrome with an Ad Blocking plugin for your web browsing whenever possible.  You’ll have to continue using Internet Explorer for Argos and Banner for now at least.

Ad Block Plus is available for Mozilla Firefox and Google Chrome at:


Keep Work and Personal email Separate

As we have advised in the past, it is a good practice to keep have separate accounts for work and personal email. In this age of e-discovery, this is becoming even more important.

It has always been a best practice to have a campus Zimbra account to use for work email and calendar. For those of us who started using “” years ago, we may have had a mixture of personal end College emails going to that account. In addition, a few of us may not want to “bother” checking two accounts, and so we forward all of our “” email to our Google or Hotmail account and read and respond to work correspondence from there. This is not a good practice. Security may well be different on your personal email account and it is best to have potentially private correspondence about staff and students in a more secure place. Also important, we are in the age of e-discovery where electronic correspondence may well need to be archived and potentially reviewed subject to a court order for cases pending against the University. If you have a mixture of College and personal emails going to a single account, everything co-mingled in that account may be scanned subject to the court order. This unintended and undesirable consequence is easily avoided by having a “work” email account which is used somewhat strictly just for College business.

If you’ve been keeping things together for a long time (and having personal mail sent to your New Paltz email), now is a good time to start weaning yourself off this.  Setup a personal email (if you don’t have one, we recommend GMail) and start having your friends and personal contacts use that address instead of your New Paltz account.  Its not something you have to cut over all in one day (and doing so gradually will make the process easier).  Aside from that, its nice to be able to check your personal email at home & on vacation without seeing your work email hanging over you!