Cybersecurity Resources for Tax Season

Campus community,

April is a prime month on the calendar for cyber criminals as they exploit tax season, looking to phish your accounts or trick you into installing ransomware. Cyber attackers aren’t only after money, either. They’re targeting the influence and ideology of the university community. It’s more important than ever to stay vigilant and protect yourself and your privacy. 

Here’s some helpful reminders that can keep you safe online:

  • Look out for mobile phone-based spearphishing attacks like smishing and vishing. Attackers impersonate people you know, like your boss or an old friend, and ask for a quick callback or text. Sometimes even a simple reply or clicked link is enough for attackers to gain access. 
  • Know how to spot and report common phishing attempts. An SJSU employee will never ask you for your login information or your password, regardless how legitimate the email, phone texts, or chat messages may appear. 
  • The best way to protect yourself and your data from ransomware is to have reliable, cloud backups.

SJSU IT offers resources to secure your home devices:

Our SJSU IT Cybersecurity & Safe Computing website has many more helpful tips. If you know or suspect you’ve been the victim of a cyber attack, don’t hesitate – report it quickly to our IT Information Security team by email at security@sjsu.edu or by phone at 408-924-1705 so we can help.

Thank you,
Bob Lim

Critical Google Chrome Update

Dear Campus Colleagues,

I’m emailing to make you aware of a recent critical security update to Google’s Chrome Browser. We recommend updating to the newest version as soon as possible. 

Google has designed Chrome to self-update, but you’ll need to push the “Update” button to complete the process. It’s located in the top right hand corner of your browser window and looks like this:

If you do not use the “Update” button, here’s how to manually update your Chrome browser to version 99.0.4844.84.

How to Update Chrome Browser Manually

  1. Open Chrome Browser and navigate to Help → About Google Chrome
  2. Chrome should immediately check for updates on its own and begin downloading and installing. Once complete, click the Relaunch button and confirm you are now running 99.0.4844.84.

  3. Repeat step 1 and verify that the update has successfully installed.

We strongly encourage you to do this on every device you own to ensure that your data is kept secure from this vulnerability. Many other web browsers work on a similar architecture to Chrome, so we encourage you to check the update status of whatever browser you’re using and make sure your software is current.

As always, SJSU IT is available to provide whatever assistance you may need. The SJSU IT Service Desk is available online, by phone at (408) 924-1530, or via email at itservicedesk@sjsu.edu.

Thank you,
Bob Lim

Bringing Multi-Factor Authentication to Our Students

In Spring 2021, we moved to protect our entire student population with multi-factor authentication (MFA). We rolled out MFA to more than 47,000 students in five waves, with the last group of accounts activated on April 9, 2021. As of today, 100% of SJSU accounts are protected with MFA.  

Our data shows that MFA works at SJSU. From September 2020 to February 2021, just before the student rollout, MFA blocked access almost 100,000 times, which is 4.6% of all attempted logins during that time span. Recently, other campuses without MFA have been attacked through unprotected student accounts. 

Protecting our student accounts with MFA is a major part of our strategy to be one of the most secure campuses in the country. Attackers have started playing the long game. They’re gaining access to student accounts, targeting people majoring in fields that are high income or who may have access to valuable research. Once they have passwords that work and access they can use, they wait five, ten, or more years to use that access to ransom user data or get into secure corporate systems. MFA for our students isn’t just about protecting them while they’re on campus, but protecting them when they’re alumni. 

There are lots of people in SJSU IT who worked on this rollout, but we couldn’t have done it without the support of Student Affairs, especially Robb Drury and Bonnie Sugiyama. I want to call out Maggie Panahi, Jason Ferguson, Sharon Watkins, Alfred Eclipse, Tristan Orlino, Andy Trembley, and James Anderson for their contributions. 

Best regards,
Bob Lim

Premium Password Management for SJSU

Logo for LastPass

One of the driving goals of SJSU IT is to make San Jose State University the safest campus in the country. Our strategy for getting there is to make security easier. We use a layered approach to put extra barriers between attackers and your data. One of the simplest but most effective protections is good password management — having strong passwords unique to each site you use that you change regularly. But that can be a pain. With dozens or hundreds of accounts all over the web, it’s almost impossible for us to keep track of what passwords we’re using where and when we last changed them. A password manager simplifies that whole process for you, making everyday security easier.

I first let campus know about our plans to bring LastPass’ enterprise password management to everyone in our campus community at no cost back in October 2020. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc and more reliable than trying to remember everything. 

The SJSU IT Information Security Office will continue to keep you updated on when it’s ready for you.

I want to thank Ravi Pisupati, Michael Hastings, Nikhil Mistry, Tristan Orlino, Andy Trembley, Bruce Gardner, and Jason Ferguson for working on bringing LastPass to our community.

Best regards,
Bob Lim

Simplifying Password Changes and Resets

An example of the password challenge screen.

SJSU IT will be simplifying the way you change and reset your password for your SJSUOne account. When these changes go live, you’ll be prompted to add a challenge question and answer to your account. Once completed, you will have the ability to reset your password directly through the login interface you’re already using. The new process is simpler and more user-friendly — you’ll be notified of your expiring password when you attempt to login and have the option to change it right away. 

While this is a small change for our university, it represents a double-win for our long-term technology strategy. This closes two small holes for attackers to exploit (adding a challenge question and allowing you to change your password right away without reminder emails or going to another site), getting us closer to our goal of becoming the most secure university in the nation. It also streamlines backend processes, increasing opportunities for automation and integration.

We’ll email our faculty, students, and staff with more details when we go live in March/April 2021.

I want to thank Maggie Panahi, Natasha Jones, Andy Trembley, Tristan Orlino, Jason Ferguson, Sharon Watkins, and Bruce Gardner, who have been working hard to get this ready.

Best regards,
Bob Lim