Phishing emails continue, CTS trys to find solutions

It has been two weeks since the beginning of the Labor Day weekend’s phishing scam, but remnants still remain of the incident that impacted approximately 1,600 Oswego State email accounts.

As of Thursday, Sean Moriarty, chief technology officer, reported that 240 more accounts have been suspended in recent days. He estimated that the phishing and spam activity over the weekend of Sept. 11 was 15 percent of the levels from the weekend of the initial outbreak.

Campus Technology Services (CTS) is taking both reactive and proactive action in the wake of this incident. One way it is adjusting is by improving its spam filters, but it is also working to help students with suspended accounts to access their important academic documents for the time being.

“Over the weekend, we did reach out and talk to people and email the help desk to try and help [students] get up and running, so they would still have access to Blackboard and learning materials,” Moriarty said. “But they didn’t have access to their emails until they fixed and changed their password.”

As CTS plans for the future, it recognizes these plans may take longer to put into place. Among the department’s plans are to rein in an outside system’s ability to send emails to listservs, along with seeking out alumni email accounts that are not being used and deactivating them.

Another proactive measure being taken is to adjust the restrictions on password creation, which Moriarty realizes must be changed.

“Since we use Single Sign On, our password strength is only as good as our shortest system, in terms of password length, or the weakest system we have,” Moriarty said. “We’re going to go through and update and upgrade those systems, so we’ll lengthen the password [and] people will be able to do longer password strength.”

CTS is also seeking the assistance of the New York State Cyber Security Operations Center (CSOC) with plans for the future, but it is unclear at this time how much help it will provide.

According to Moriarty, CSOC is regularly brought in by CTS departments around the state to tell schools about the risks they face and what needs to be done to go in and clean things up. That being said, he went on to say that information from the incident was sent over Labor Day weekend and there is no guarantee CSOC will send back any information to his department at all.

CTS will continue to evaluate its systems internally and determine whether or not it is at risk beyond the phishing attempts. In the meantime, Moriarty has a few tips for Oswego State email account users that he follows himself to better protect themselves in the future.

“I think moving forward people should be vigilant and aware. It’s really not just their Oswego account because I would imagine most people have one or two personal accounts too,” Moriarty said. “They should be changing their passwords on a regular basis and there’s just a lot of breaches, whether it’s like the Ashley Madison incident where everything was basically stolen. I think you have to be wary of the information that you’re going to go and put out there.”

Moriarty also urges users to think about where they log on.

“Another thing I would say is be careful where you’re working because there’s a lot of places that have unsecure wireless access points that the information can be stolen from too,” Moriarty said.

Moriarty does not believe Oswego State is safe from cyber attacks just yet as hackers continue to target email accounts over the weekends. He plans on it taking a while for the hike in incidents to subside. For now, he urges account holders to think about the positive effects of being diligent with their security.