Ask Your CISO, Current Non-Threats, Security Awareness Newsletters

This Week’s Cybersecurity News, 02/19/2025

Posted on Feb 19, 2025Share on

picture with four smartphones each displaying a different kind of multifactor authentication

Hello, everyone.

This week I want to tell you about one current non-threat that affected a limited number of people, but I wanted to make sure everyone who got the email was included. I want to continue the conversation about Duo today and I have question for Ask Your CISO.

Current Non-Threat

  • CampusGuard Portal (email)
    • On Monday an email was sent to the Merchant Points of Contact for the UTIA merchants processing credit cards.
    • The sender is No Reply <noreply[@]campusguardcentral.com>.
    • The subject is CampusGuard Central New Portal Information.
    • The message tells you that the new CampusGuard Central application is live and available for your use.
    • The message also gives you the link for the portal and lets you know that you should use the “Login with SSO” button using your institutional credentials, which would be your NetID and password.
    • This email is legitimate.
    • On Monday the login wasn’t working properly, so if you tried and couldn’t get in this is why.
    • I just logged in and everything appears to be working with the exception of several Merchant POCs that are incorrect.
    • If you are a Merchant POC and did not get the email, please know that I am working with UTSA to correct their information.

Important Security Tips

  • More Duo Tips and Information
    • Two weeks ago I devoted my newsletter to Duo in light of many direct deposit incidents UT had seen.
    • That newsletter can be found at This Week’s Cybersecurity News, 02/04/2025, in case you deleted the email.
    • On 02/12/2025, UT Department of Technology Solutions sent a systemwide email with the subject Important Notice Regarding the Importance of Multifactor Authentication that also gives information about this problem.
    • These types of attacks are continuing at alarming rates, not only at UT but around the world.
    • In the past few days I have had several questions regarding Duo that made me realize I should go over additional information that may be helpful for you.
    • One question I have been asked recently is why the location shown in the Duo notification is NOT the actual location of the user.
    • There are a few reasons why the location may differ.
      • Because Duo cannot track your actual location, it has to rely on network information.
      • The location displayed is based on the IP address used to initiate the login.
      • The IP address can vary based on things like your VPN, proxy settings, or even the network you are connected to and these don’t always correlate with your actual physical location.
      • Keep in mind that a VPN (Virtual Private Network) changes your IP address by routing your traffic through a VPN server, making it appear as if you are connected to the Internet from the location of the VPN server and not your actual location.
    • What should you do if the location shown does not make sense to you?
      • If the location shown is in another country, deny the push immediately!
      • Check the app that the notification is asking if you are logging into.
        • If you are trying to log into something UT-related then the app shown (e.g., UT Central Authentication Service, UTK Directory, etc.) should let you know if the login was requested by you.
        • This is one of the most significant ways to know if the notification was for a request you initiated.
      • Check the time you requested the login.
        • Did the notification come right away?
        • Is the time showing correct?
      • If the app and/or the time shown are wrong, them deny the request.
      • You can always initiate the request again.
      • If you deny a request three times, your Duo account may be locked but this is not a bad thing.
      • If your account is locked, call the UTK OIT HelpDesk at (865) 974-9900, and explain what has happened.
      • Even if your account is not locked, the HelpDesk staff can look up your last 10 approved requests and can determine if the questionable one is actually okay.
    • I have also been asked why the Duo login is not showing up when you go to a UT site.
      • This may be because you have recently logged into this site and have not closed your browser since then, even if the login has expired.
      • Your Duo account may be inactivated.
      • It may also be because you have chosen the “Yes, this is my device” option when Duo asks if this is your device.
        • It is best to never choose this option because if someone were to access your computer, they would be able to access the UT systems that they should not have privileged access to.
        • Always click “No, other people use this device” to protect yourself and those UT systems with sensitive data.
      • If you are not being shown the Duo popup after a login, please call the UTK OIT HelpDesk at (865) 974-9900.
    • The UTK OIT HelpDesk has the ability to reactivate your Duo account.
    • The UTK OIT HelpDesk has the ability to see your last 10 approved requests.
    • The UTK OIT HelpDesk has the ability to help you reinstall Duo, if necessary.
    • And always remember how important it is to pay attention to every detail when using Duo or any other multifactor authentication app.
      • Never approve a Duo request that you did not initiate, which means you need to review each request to ensure it is correct.
      • If you receive a push notification that you did not initiate, deny it and immediately report it to the UTK OIT HelpDesk as fraudulent activity.
      • Never share your Duo passcodes with anyone and remember that only someone up to no good will ever ask for your passcode, while the rest of us know that is not allowed.

          Ask Your CISO

          • I didn’t have the red Report button you mention for reporting phishing emails, so I forwarded it like you said. So why did I get a message back saying that I’m not supposed to report by forwarding unless I am a UTK Gmail user? Did I do something wrong?
            • First of all, no, you did exactly what you were supposed to do.
            • This message is an automated reply that goes out to anyone who forwards messages to abuse@utk.edu.
            • I had let OIT Security know when they first introduced the new Report button that many of our users do not have that button available in the older, yet still supported versions of Outlook they are using.
            • OIT Security said they would continue testing these versions of Outlook so the button would be available, but that has not happened just yet.
            • I spoke with a longtime HelpDesk person who handles a lot of the abuse emails yesterday and explained this to her, including the autoreply message that users are seeing.
            • I let this person know that part of the issue with having to use the older supported versions of Outlook has to do with SharePoint issues with the newest Outlook.
            • I was assured that if you are using one of the Outlook versions that does not have the Report button, then you certainly can forward the message to abuse@utk.edu and the person said she would work on getting the autoreply message changed.
            • Thank you so much for asking about this so I could let everyone else know about the possibility of this autoreply!
            • And for the full, current instructions for reporting, please visit Reporting Phishing Attempts & Junk Email.

          I cannot thank you all enough for being so attentive to all things security. It makes me realize that you not only read these newsletters, you retain the information and use it every single day. Thank you for all you do to help keep the Institute’s data safe, as well as the University’s and your own. I love helping you and I am here anytime you have any questions or concerns!

          Sandy

          Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone else has an email group for students who are not employees of your department, please let me know that address and I can include it. I do this as a blind copy so student names and addresses will not show up!

          Sandy Lindsey
          Chief Information Security Officer
          Information Technology Services
          The University of Tennessee
          Institute of Agriculture

           

           

          G061​ McCord Hall
          2640 Morgan Circle Drive
          Knoxville, Tennessee, 37996
          Phone: (865) 974-7292; (865) 806-5224
          sandy@tennessee.edu