Information Security & Policy Blog

  • Actively Exploited Vulnerabilities in Internet Explorer and Adobe Flash

    *Update 2014-05-02*

    Microsoft has released an patch for the Internet Explorer vulnerability. If you haven't enabled daily automatic updates as described below, you should. You can also visit Windows Update directly. 

    Read the rest

  • Fraudulent IRS Federal Tax Returns

    We have received approximately 25 reports from faculty and staff who have had a fraudulent 2013 federal tax return submitted to the IRS in their name.  

    The University Information Security and Policy Offices have reported these cases to the FBI, U.S. Secret Service, and the IRS.  

    Read the rest

  • Vulnerability in Microsoft Word

    On March 24th 2014, Microsoft released an advisory describing a vulnerability in all supported versions of Microsoft Word related to opening a maliciously crafted Rich Text Format (RTF) file. Users of Microsoft Outlook may also be at risk as by default Outlook uses Word to view certain email types.

    Read the rest

  • Critical Apple Security Update


    SSL Authentication Flaw

    Apple has released critical security updates to address a dangerous bug in Apple's implementation of SSL/TLS that affects multiple versions of iOS 6, iOS 7, Apple TV OS 6, and OS X 10.9 (Mavericks). Without these security update(s) applied, it is possible for an attacker to intercept some types of data on shared networks, such as a WiFi connections commonly available in coffee shops, libraries, and other public venues.

    Read the rest

  • Vulnerable version of NTP being exploited

    A vulnerability in NTP, the unix time sychronization service, is currently being exploited.

    Read the rest

  • Vendor Data Security Workbook

    When institutional data is shared with a third party (for example, an information technology cloud provider), the university Committee of Data Stewards (CDS) requires an assessment by the UISO.

    Please check out our updated process page here for more details.

    Read the rest

  • Don’t become another phish story!

    You get an email that appears to come from IU. They sound like they really need your passphrase, and right away. They’d sent the email so quickly that it’s riddled with spelling errors. You reply with your passphrase without delay.

    It all looked so legitimate. Except it was not.  What was wrong with it? There are several “tells” that should raise suspicions. First and foremost, they’re asking for your passphrase. IU will never ask for your passphrase or login credentials via email or phone. Second, they need it now, now, now! And third, the misspellings are a dead giveaway.

    Read the rest

  • Mobile Device Security Shakedown PT.1 iPhone

    The Apple iPhone is, arguably, the most popular and recognizable icon of the smartphone industry. If you’ve never owned one, chances are you have seen one or dreamt of the care-free life depicted in every iPhone commercial. While smartphones have brought to our fingertips the vast knowledge contained in the Universe and video of your buddy’s newest kittens in costumes, these devices are also a repository for some of our most valuable information.

    Read the rest

  • Policy IT-28 Cyber Risk Mitigation

    Updated: August 12, 2013

    IU policy was approved (on May 17, 2013) and now has a new name: Cyber Risk Mitigation Responsibilities (IT-28).

    The approved policy language represents significant evolution based on feedback from the university community. We invite you to review the final version.

    Original post: March 13, 2013:

    Policy Draft IT-28 Provisioning of IT Services

    The University Information Policy Office recently posted and distributed a new policy draft for review, Policy IT-28 Provisioning of Information Technology Services.

    Policy IT-28 was drafted and developed with input from key stakeholders, paying particular attention to the Board of Trustees' concerns related to information and information technology risk — which have been continually highlighted by internal audits and repeated security incidents.

    IT-28 seeks to reduce the university’s exposure to threats and create economic efficiencies by leveraging common IT infrastructure and services to the greatest extent practicable (thereby freeing up resources for unit-specific needs).

    VP for IT and Chief Information Officer Brad Wheeler spoke at a town hall meeting on March 8th on the subject of: “Mitigating Cyber Risks”, which covered the current risk environment, and the development of IT-28.

    Read the rest

  • Product Claims as Compliance Panacea

    IT security and compliance professionals are often asked about products and compliance to industry standards such as HIPAA or PCI-DSS. The vendor of product which someone wants to purchase may state that the product is compliant with a specific industry security standard. As a result, a system administrator or end user may then assume that they no longer need to worry about compliance, presuming that the product has bestowed upon them automatic compliance by virtue of simply using the product. How oh so convenient that would be if only it were true, which it is not.

    Read the rest