The following are types of incidents that are regularly reported to OIS. Please scroll through this information for instructions on how to report such incidents.
OIS takes phishing concerns seriously, investigating and taking appropriate action on each message reported to us. Please visit our dedicated phishing website for information on how to report phishing messages to us.
If you responded to a phishing scam and think your account may be compromised
Penn State Access Accounts
If you have responded to a phishing scam using your Penn State Access Account or believe it has been compromised (meaning accessed by someone other than you), immediately visit https://www.work.psu.edu/password to change your password. Remember to follow best password practices when creating a new password. If you use the same password across multiple accounts (i.e. financial institutions, social media sites, etc) it is highly advisable to change those passwords to new, unique passwords as well.
If you are unable to change your Penn State password or need assistance in doing so, please contact the IT Service Desk by phone at 814-865-HELP (4357) or visit them in person at 204 Wagner Building or W130 Pattee Library. More information about the IT Service Desk may be found on their website at http://itservicedesk.psu.edu/.
If you believe the credentials of a non-Penn State account have been compromised (including by means of response to a phishing scam), report the incident to the external entity’s abuse department. You can usually locate this information by visiting a website’s help section.
If you use the same password across multiple accounts (i.e. your Penn State Access Account, financial institutions, social media sites, etc) it is highly advisable to change those passwords as well.
Threatening or Harassing Electronic Communications
If you receive a direct threat or feel threatened by an electronic communication*, please contact your local police department immediately. You should save all communication you received and continue to archive any future correspondences received.
If you receive any electronic communications* that you feel are harassing in nature, it is advisable that you respond one time to the user and ask them to stop all electronic communication immediately. You should also advise them that any electronic communication directed towards you after they receive your message to cease may be considered harassment.
Here is an example message you can use to respond (it is best that no other words are exchanged).
“Please cease and desist all electronic communication immediately. Any future attempts to contact me electronically will be considered harassment.”
When sending this note, be sure to CC yourself with the email message, or save the session if using a chat type program.
If you receive any further communications after this point, you may contact the police if you wish to press charges. In that case, you should save any evidence. For example, email correspondence, including the full message headers, should be saved. (For information on how to retrieve message headers, please visit http://kb.its.psu.edu/article/810 or contact the IT Service Desk at 814-865-HELP [5-4357].)
*Electronic communications include but are not limited to email, voicemail, texts, chat logs, social network correspondences, etc.
Unauthorized Access Attempts
If you are experiencing any sort of unauthorized attempts to your system from a Penn State resource, send an email to firstname.lastname@example.org. Please include the following information when doing so:
- Detailed explanation of what happened
- Any logs you might have, including
- Time (including time zone)
- Source IP address and ports
- Destination IP address and ports
If you discover that a Penn State resource is hosting or serving malware, please report it by sending an email to email@example.com. Please include location of the offending content and the time/date/time zone when discovered.
Hoaxes and Unsolicited Commercial Email (spam)
Unfortunately, receiving email hoaxes and spam is part of today’s digital landscape. Best practice recommends that users filter and delete these emails. For assistance with maximizing filtering in your email client, faculty and staff should consult their department’s IT staff. Students, retirees and other non-faculty/staff should contact the IT Service Desk by calling 814-865-HELP (5-4357).
University Logo and Licensing Issues
OIS often receives reports of University logo and trademark licensing issues. These specific issues are handled by the University Licensing Office. If you are filing a complaint about the possible unauthorized/unlicensed use of a Penn State copyrighted image, please provide firstname.lastname@example.org with a detailed message about where the image(s) in question are located or being used.
If you are requesting the use of the University logo or a University trademark, please contact email@example.com with detailed information about what you are requesting.
If you are requesting the use of a copyrighted image or material on a Penn State hosted website, please contact the webmaster of the site where the material is located. The webmaster information is usually located at the bottom of the page or in the contact section of the website. When contacting them, please include the URL of the content you are requesting use of, the purpose of the request and the intended usage.
If you don’t receive a response in a timely manner, please email firstname.lastname@example.org with the information requested above and we will facilitate communication with the copyright holder.
To report a copyright violation located on a Penn State resource, the copyright holder or his/her designated agent should send a complete takedown notice following DMCA guidelines (refer to Section 512(C)(3)(A)) to email@example.com.
OIS makes an effort to detect compromised hosts by analyzing network traffic, but the system is not perfect. Information from unit IT staff about incidents on the network is very valuable as it helps us assess risk, respond appropriately to incidents, and guide technology acquisition. However, not all issues experienced in the field provide insight for our efforts. Here’s a quick list of incidents that we want to hear about, and a list of things that are low risk or cannot be acted upon by our office.
Issues with your website
Web servers are some of the most vulnerable points of attack on our networks. They can house code from a wide variety of sources, often with update paths that differ from the underlying OS. Custom code is seldom reviewed or audited, and often “left to rot.” Issues with Web servers can include file injections, SQL injections, cross-site scripting (XSS), session and auth poisoning, poor configurations, and lack of or mis-application of encryption. Any time one of these incidents occurs on the Penn State network, we are very interested in knowing about it. Web servers house a wide variety of data types and can present significant institutional risk. When we are able to analyze the network traffic associated with a successful Web server compromise, we can often find other similar attacks and fine tune our alerts. The OWASP Project has information about vulnerabilities and attacks, and numerous tools that help detect and mitigate issues. ModSecurity is a Web application firewall that can detect and drop most malicious attacks against Apache-based servers.
Traffic spikes and anomalies
A sudden increase or drop in traffic often indicates that something is amiss on a network. Traffic changes can be a result of a compromise, a crash, a change in user behavior, or the addition or removal of physical devices from your network. If you see changes in network traffic and cannot quickly determine their root cause, contact OIS for help with further traffic analysis. Some tools that can help monitor bandwidth are Zabbix, Nagios, and Cacti.
Spear phishing attempts
Unsolicited email messages requesting credentials are common at Penn State. We do not need to know about every scam message, but if a user receives an email message with very specific information about his/her job, or internal Penn State processes that are not widely publicized, we would like to be alerted. Spear phishing has resulted in some very high profile compromises and data leaks over the past couple years, and is normally associated with persistent, targeted activity that needs to be understood as soon as possible.
OIS uses border data to detect compromised computers. While this system is very effective, it is not perfect. If you detect a machine that is compromised, please let us know so that we can assist with compliance measures and learn from the incident.
Ads in email are annoying, but there is little we can do about them once they hit your inbox. Spammers are constantly adjusting their techniques to circumvent filters, and Penn State does not have a feedback mechanism in place for this type of email.
Pop-ups are annoying too, and sometimes even malicious. End-point protection, user education, and keeping machines up-to-date are the best defense techniques against pop-ups that try to trick users into installing predatory anti-virus or performance-tuning packages. Most modern Web browsers have controls allowing users to prevent pop-ups or other types of ads.
Port scan notices from AV packages
Several AV packages are too sensitive to normal traffic on a subnet and will tell users that they were port scanned. These are often false positives when they claim to be from a host from within the same network. A firewall at the network edge will help to reduce hostile port scans.
These lists are not comprehensive. If you are unsure, contact OIS.