Security | Information Technology | University of Pittsburgh
!

You are here

Security

DMARC Email Validation System

Increasing incidents of phishing attacks, email spoofing, and compromised email accounts continue to threaten the security of the University’s computing environment.

Phishing Alert: Fake Email Scam Mimics Pitt Passport Login Page

Friday, May 20, 2022 - 22:05

 

Pitt Information Technology has identified a new email phishing scam targeting University students, faculty, and staff. The scam claims you have a new important message and prompts you to click a link to view it. The link directs you to a webpage that mimics the Pitt Passport login page, which attempts to collect your Pitt username and password. The scam appears to originate from a University email address.

The following is a sample of the recent scam. Note that this scam message may appear in your junk email or quarantined email folder. Always use caution in responding to messages in these folders. If you receive this message (or any message similar to it), please report it as a phishing scam by forwarding the email message as an attachment to phish@pitt.edu. Detailed instructions on reporting scams are available at https://www.technology.pitt.edu/security/phishing-scams.

******************************************************************************

From: Pitt user
Subject: Secure Message

You have 1 New Important Message

Click below to view message details.

<malicious link>

University of Pittsburgh

******************************************************************************

Clicking the link displays a webpage that mimics the Pitt Passport login page:

Pitt IT strongly recommends that you do not reply to unsolicited emails or emails from unverifiable sources. If you were not expecting to receive such an email, confirm with the sender prior to interacting with the message. If you must interact with the message, avoid clicking on links contained in such emails. These may lead to sites that contain malicious software, or sites that attempt to steal your credentials. If a link looks suspicious, you can hover over the link with your mouse to preview the URL without clicking on it.

In addition, Pitt IT recommends that all students, faculty, and staff install Antivirus and Anti-Malware (Malwarebytes) Protection. Departments can submit a help request to obtain Malwarebytes for multiple machines.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.

Modern Authentication Affects Some Outlook Logins Beginning May 20

Friday, April 22, 2022 - 11:36

 

Effective Friday, May 20, 2022, Pitt Information Technology will enhance Pitt Email security by enabling Microsoft’s Modern authentication protocol. 

Pitt IT is required to make this change in response to Microsoft’s announcement that it is ending support for Basic authentication and replacing it with the more secure Modern authentication protocol. These authentication protocols dictate how users log in to their email client: Basic authentication relies only on your username and password, whereas Modern authentication leverages Pitt Passport and multifactor authentication.

In alignment with Microsoft’s requirement, Pitt IT will prepare the University’s computing environment in two phases:

  • Phase 1: Enable Modern authentication on May 20
  • Phase 2: Disable legacy Basic authentication by Aug. 1

Take Action: Prepare for Phase 1 (before May 20)

  1. Understand how logging in to the Outlook desktop client will change.

After Modern authentication is enabled on May 20, you will occasionally be prompted to log in to your Outlook 2016 or later desktop client with Pitt Passport and multifactor authentication, similar to the way you log in to Microsoft Teams today. Outlook will not prompt you to log in every day. However, like Teams, Outlook may prompt you to log in if you have not used it in a while.

  1. Convert sponsored accounts that are used to share mailboxes to resource accounts.

In some departments, individuals may be sharing the credentials of a sponsored University Computing Account to manage a Pitt Email mailbox or calendar. Effective May 20, resource accounts will replace sponsored accounts as the method for sharing the management of Pitt Email mailboxes and calendars. If you currently share a sponsored account with others in your department for this purpose, please complete the steps on our website as soon as possible to transition the account to a resource account before May 20.

Take Action: Prepare for Phase 2 (before Aug. 1)

Software and services that are incompatible with Modern authentication will stop working after Basic authentication is disabled on Aug. 1. Please take the following steps now to prepare: 

  1. Upgrade your desktop email client if you are using Outlook 2013 or an earlier version.

    To ensure uninterrupted access to your Pitt Email, individuals who use Outlook 2013 or previous versions should upgrade to the current version of the Outlook desktop app through Office ProPlus before Aug. 1. Outlook 2013 will no longer work with your Pitt Email after Aug. 1. (To determine your current version of Outlook, choose File > Office Account > About Outlook.)       
     
  2. Prepare Pitt Email on your mobile device.

    Individuals who access Pitt Email from their mobile devices are encouraged to use the Microsoft Outlook mobile app for Android and iOS devices. Most major third-party email apps also support Modern authentication, including, but not limited to: Gmail app for Android and the built-in Mail app for iOS 11.3.1 and later. (Learn how to find your iOS version or find your Android version.)
     
  3. Ensure departmental applications that integrate with Pitt Email/Calendaring support Modern authentication.

    Departments should identify applications that are using Basic authentication to connect to Microsoft-hosted resources and transition them to methods supported by Modern authentication. In some cases, application developers may need to adjust permissions or change the email protocol.
     
  4. Upgrade non-Outlook email clients and transition from legacy email protocols.

    Individuals who access Pitt Email from non-Outlook email clients (e.g., Thunderbird) should verify whether the client supports Modern authentication. If it does, ensure the client’s settings have been updated to enable Modern authentication. If the client does not support Modern authentication, upgrade to a client that does and configure it appropriately. In addition, those who use legacy email protocols like IMAP, POP, and EWS to connect to their Pitt Email will need to switch to email clients that support Modern authentication.

Learn More

Additional details about how Modern authentication affects you, including answers to frequently asked questions, can be found on our Modern authentication webpage and Microsoft’s webpage. This page will be updated as more information becomes available.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have questions or need assistance.

Modern Authentication Affects Some Outlook Logins Beginning May 20

 

Effective Friday, May 20, 2022, Pitt Information Technology will enhance Pitt Email security by enabling Microsoft’s Modern authentication protocol.

Qualtrics Security Guide

This document provides a detailed breakdown of how to use Qualtrics securely. It is the responsibility of the user to ensure that proper security is followed when using Qualtrics.

To access Qualtrics, go to my.pitt.edu and enter “Qualtrics” in the search bar.

Steps to Securing a Qualtrics Project:

  1. Managing Access

  2. Survey Access

  3. Password Protection

  4. Prevent Multiple Submissions

  5. Prevent Indexing

Enable Support for TLS 1.2 or 1.3 on Web Browsers

In keeping with security best practices, the University is requiring the use of current web browsers to ensure continued access to University web services—including Pitt Passport.

Zoom Security Guide

The following information outlines the steps necessary to host more secure Zoom meetings and webinars. Using the settings recommended below can protect your meetings against Zoom bombing, a practice in which an uninvited attendee disrupts a Zoom meeting by sharing inappropriate or offensive material. 

Phishing Alert: Payroll Notification Scam Links to Malicious Website

Monday, December 7, 2020 - 09:56

 

Pitt Information Technology is responding to an email phishing scam that claims to be a payroll notification from the University. The email links to a malicious website that attempts to capture an individual’s University credentials and mimics a Microsoft login page. The scam originates from outside the University, but the message claims to be from a University of Pittsburgh source.

The following is a sample of the recent scam. If you receive this message (or any message similar to it), please report it as a phishing scam by forwarding the email message as an attachment to phish@pitt.edu. Detailed instructions on reporting scams are available at https://www.technology.pitt.edu/security/phishing-scams.

******************************************************************************

From: Pitt <external email address removed>
Sent: Sunday, December 6, 2020 2:11 PM
To: Doe, J <jdoe@pitt.edu>

Subject: Payroll Notification 

You have a payroll update from pitt.edu Staff Portal

<link removed> to read.

Best Regards,
pitt.edu.

******************************************************************************

Clicking the link in the email takes the reader to a fake Outlook Web App login page like the one shown below:

Pitt IT strongly recommends that you do not reply to unsolicited emails or emails from unverifiable sources. If you were not expecting to receive such an email, confirm with the sender prior to interacting with the message. If you must interact with the message, avoid clicking on links contained in such emails. These may lead to sites that contain malicious software, or sites that attempt to steal your credentials. If a link looks suspicious, you can hover over the link with your mouse to preview the URL without clicking on it.

In addition, Pitt IT recommends that all students, faculty, and staff install Antivirus and Anti-Malware (Malwarebytes) Protection. Departments can submit a help request to obtain Malwarebytes for multiple machines.

Please contact the Technology Help Desk at 412-624-HELP (4357) if you have any questions regarding this announcement.

Pitt Adopts New Antivirus Solution

Due to an unexpected and significant increase in licensing fees, the University of Pittsburgh adopted Microsoft Defender for Endpoint as its new enterprise antivirus solution, replacing Symantec Endpoint Protection (SEP) effective Friday, June 5, 2020.

Moving to Microsoft Defender for Endpoint provides the opportunity to deliver an excellent antivirus solution at substantial cost savings for the University,

Pitt students at Pitt Hackathon

EMAIL AND ACCOUNT SECURITY

Keep Your Accounts, Yours

The Account Administration service enables the University to manage its account services in an effort to securely verify and protect its identity with tools, such as Multifactor Authentication and Federated Authorization Process (Student Mart Access).

Those who utilize our Pitt Email (Outlook) service are also provided with access to select services to securely manage email communications with Advanced Threat Protection and Enterprise Spam and Virus Filter Service with Exchange Online Protection (EOP).

IT GOVERNANCE

Practice Good Governance with Our Guidance

Pitt IT regularly updates its security knowledge base with the latest governance standards, while also ensuring the University’s safety against external attacks and internal accidents with industry-leading security methods and best-practices. Request guidance or support from Pitt IT or learn more with the resources below.

IT Governance and Regulatory Compliance

Maintain compliance with applicable laws and regulations for restricted data (e.g., DFARS/CMMC, FERPA, GDPR/PIPL, GLBA, HIPAA, NIST 800-171, PCI)

Data Classification & Compliance

Protect the privacy of students, alumni, faculty, and staff through precautions and data classifications measures that guard against unauthorized access.

Governance & Policy Security Guides

Maintain safety practices around policies and standards with our easy-to-follow guides — developed and maintained for accuracy by Pitt IT Security and organized below.

pitt individuals working on computers

IT POLICIES AND PROCEDURES

Master University Guidelines

Pitt IT has partnered with University communities to establish security policies that help protect computers and information from security threats — such as viruses, Trojan horses, hackers, and other forms of cybercrime.

Review these policies to help your department protect its data, while also adhering to state and federal regulations regarding technology.

View IT Policies & Information

IT SECURITY AUDIT SUPPORT

Manage Security Audits with Our Help

Pitt IT Security is available to assist departments and schools in all IT security audit needs — including regulatory requests. Contact us for expert guidance in managing and executing audit processes through risk identification, evaluation, and mitigation.

IT Audit Guidance

Request risk-based security audits from Pitt IT Security to determine if your University data is adequately protected. Assistance is also offered in cases where departments are requested to perform and report internal IT audits.

IT Risk Management

Improve your departmental risk identification, evaluation, and mitigation capabilities by working with Pitt IT Security to identify risks, assess any potential impacts, and lessen risks by implimenting mitigation controls.

IT Contract & Agreement Review Service

Review contracts and agreements with our guidance to determine if your department and the University can meet contractually obligated data-security requirements.

THREAT AND INCIDENT MANAGEMENT

Identify Risks Before They Become Threats

Pitt IT Security can help you identify potential threats before they become issues for your department. Are you concerned that your data has already been compromised? Pitt IT Security will help you assess the situation, manage the incident, and respond to University stakeholders and legal partners.

IT SECURITY ARCHITECTURE AND ENGINEERING

Build a Security Strategy that Fits Your Needs

Security architecture can help you design and document key elements of your overall security program, which ensures that your department and users can understand and utilize methods for creating safe, collaborative digital environments. Pitt IT Security will work closely with you to create a well-defined strategy that fits your needs and uses industry-leading best practices to enable your department’s security and success.

Strategy and Design

Plan and create your IT environment with security as a top priority.

Security Tooling

Implement the proper tools and security measures for your needs.

Solution Engineering

Design and develop secure solutions that fit your unique work processes and data needs.