Be Vigilant: New MS Word Attack

May 30th, 2022

There is a newly discovered vulnerability in MS Word (and likely other MS Office apps) that could install malware on your computer. All faculty, students, and staff and encouraged to be especially vigilant about opening any attachments.

Named the Follina MSDT zero-day attack, it is unlike most malware downloads. This exploit can be triggered with a hover-preview of a downloaded file that does not require any clicks (post download).

This is a 0-day attack that sprung up out of nowhere, and there’s currently no patch available as of now. This 0-day features remote code execution (attacks that allow an attacker to remotely execute malicious code on a computer) and bad actors can elevate their own privileges and potentially gain “god mode” to your computer.

Because this malicious code is as simple as opening up a Word doc—in preview mode, we the BU community to again, be extremely vigilant making sure you verify the sender of an email, the timelines & context (were you expecting an attachment) and stop and think. Take a moment to verify the validity of the email message can protect you until a patch is released!

Stay safe and read more:


Security Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

April 20th, 2022

The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.

All faculty and staff should remain vigilant in the face of this ongoing threat.

Click here to find out more and read this advisory on the Cybersecurity & Infrastructure Security Agency’s website.

BU Information Security

The Spring 2022 Shred and Recycle Event

April 8th, 2022

Dear Faculty, Staff & Students,

In partnership with BU Sustainability – BU Information Security is excited to host the Spring Shred & Recycle event from April 26th thru April 28, 2022. These are open to all faculty, staff, and students to safely and securely dispose of documents – especially those papers with personal or sensitive information – and hard drives. You can also recycle batteries, lightbulbs, toner, electronics and cords.

How do I know when I can dispose of Boston University documents?
This is a great opportunity to consult the University’s Record Retention Policy This policy assists University staff responsible for the creation, storage and maintenance of records, (physical and electronic), and clearly defines how Boston University requires records are handled to ensure legal requirements are met, preserve their availability, and to destroy outdated records.

Do some spring cleaning on your office filing cabinets, desk drawers, and dorm rooms and get ready to visit us at:

CRC East Kenmore Parking Lot 549 Comm Ave:
Tuesday April 26, 2022 from 10:00am-1:00pm

CRC West Agganis Arena Parking Lot 925 Comm Ave:
Wednesday April 27, 2022 from 10:00am-1:00pm in the parking lot behind Agganis Arena

BUMC Talbot Green 715 Albany St:
Thursday April 28, 2022 from 10:00am-1:00pm in front of the Talbot Building

Take this chance to protect identities, destroy confidential data, and recycle all at the same time! There is no limit to the amount you can shred and recycle.

You can find information on the Shredding Event, plus other helpful materials on our Information Security webpage here.

Security Advisory: Google Chrome and Microsoft Edge release update to patch security vulnerability

March 29th, 2022

There is a significant flaw in Chrome (CVE-2022-1096) that was announced on Friday, March 25th and has since been featured in the news. This one has received attention because there is an exploit available for it amid higher global tensions. The bug is also in shared code that is used in Microsoft Edge, which may potentially impact a lot of browsers. Now that a patch is out, the risk is mitigated by the fact that browsers are generally configured to update themselves by default. In some cases, it may be necessary to restart the browser.

To check your version:


Chrome needs to be updated to version 99.0.4844.84 or newer.

To find your version for Chrome:

1. Click on the vertical triple dot menu on the right hand side of the address bar
2. Pick Settings
3. On the left hand side of the page it brings you to, pick “About Chrome”
4. If it’s not up to date, it should invite you to update it. It may be necessary to restart the browser.


Edge needs to be updated to version 99.0.1150.55 or newer

To find your version of Edge:

1. Click on the horizontal triple dot menu on the right hand side of the address bar
2. Pick “Help and Feedback”
3. Pick “About Microsoft Edge”
4. If it’s not up to date, it should invite you to update it. It may be necessary to restart the browser.

Find more information here

Security Advisory: Beware of Fraudulent Duo Prompts!

March 16th, 2022

Dear Students, Faculty, and Staff,

We write to alert you to a new level of phishing attack that is currently being launched against Boston University and several other institutions across the country. This attack exploits some Duo multifactor authentication options. Please review this advisory carefully.

The attacks will typically begin as an email with a generic subject, such as “An important message from BU”, containing a link which takes you to what looks like the BU WebLogin page, but upon closer inspection, does not have the correct address, nor does it have a secure (https) connection. If a BU login name and password is entered, you are then directed to a fake Duo authentication page asking you to generate and enter a passcode. If you respond, the attacker will gain control of your account.

Interface of the Two-step BU login: login and password in first prompt, and Duo verification passcode in center field on second.

Here’s how you can protect yourself:

Use Duo effectively

• Whenever possible, use Duo Push through the mobile app – it is the most secure option.

• NEVER authorize a prompt or call you did not initiate whether it’s through the phone or a push, click on “Deny”!

• Never provide another person with a Duo authorization passcode.

Look at the link

• Before clicking on any link, verify the link by hovering over it to display the destination web address.

• Be suspicious of any e-mail with a link that takes you directly to an authentication page.

• Verify that any site asking for authentication via the web uses a ‘’ address, with,, and, being the most common.

• The URL should always start with https://. The “s” is critical – it means “secure”.

If you clicked on a link and provided your password, or approved a Duo prompt you did not initiate:

• Change your BU password immediately:

• Contact the BU IT Help Center: or 617-353-HELP.

Two factor authentication remains the most effective mechanism to deter the use of stolen passwords. However, there will always be bad actors looking to break through even the most robust defenses. Following the tips above will keep your account, and Boston University, secure and protected.

BU Information Security

Security Advisory: Shields Up Advisory & Reporting a Security Incident

February 24th, 2022

Dear Faculty, Students & Staff,

As has been reported in the national news media, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a call for heightened vigilance against cyber-attacks due to recent actions of Russia related to Ukraine. Termed “Shields Up,” CISA has advised that we lower reporting thresholds and take various other steps, all of which are consistent with BU cybersecurity practices. We are actively engaged in a heightened level of threat monitoring, remediation of vulnerabilities and compromised accounts, as well as preparation to major incident handling. We have also taken steps over the past years to increase our resilience, like expanding the use of Duo multifactor authentication.

We encourage anyone who is aware of a potential cybersecurity vulnerability or event affecting Boston University accounts, computers, or networks to report all available information. Please contact your BU IT support organization or any time that you think you may have observed a cybersecurity vulnerability or event. Here are some things to look for:

• Someone else appears to have access to your accounts or devices, as evidenced by changes to your account, records, files, or email that were not made by you.

• You can view personal information you do not think you should be able to see.

• Your computer is behaving as if someone else has control over it, such as the cursor moving, the camera being turned on, or text being typed.

• Someone outside of your known IT support contacts you and seeks your assistance in gaining access to your system or otherwise bypassing security controls.

• You have found a way to circumvent a Boston University cybersecurity system.

To report an incident, contact your organization’s IT team or contact the IT Help Center at or by calling 617-353-HELP (4357). For more information visit:

Thank you for your help in keeping Boston University cybersafe!

BU Information Security

CISA Releases Guidance on Protecting Organization-Run Social Media Accounts

December 9th, 2021

CISA has released Capacity Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. Malicious cyber actors that successfully compromise social media accounts—including accounts used by federal agencies—could spread false or sensitive information to a wide audience. The measures described in the CEG aim to reduce the risk of unauthorized access on platforms such as Twitter, Facebook, and Instagram.

To read more click here to read the report on the Cybersecurity & Infrastructure Security Agency’s website.

BU Information Security

How to Back Up Your Computer

September 29th, 2021

When was the last time you backed up all your important documents and photos? Last month? Last year? Never? Setting up a good backup system can seem time-consuming and intimidating, but it’s neither. Anyone can do it, and everyone should. In less than 15 minutes you can have a system that backs up your files automatically—both to an external drive and to encrypted cloud storage—without any regular action from you.

Click here to read more on the New York Time’s latest wirecutter article.

BU Information Security