IT security

The Incident Response Team (IRT) at LiU

Report any form of incident, such as intrusions, intrusion attempts, spam, network abuse, and so forth that is associated in any way to Linköping University, regardless of whether the university is affected, or the cause of, the incident. The Incident Response Team (IRT) does not handle issues that have no connection to Linköping University.

Contact information: abuse@liu.se or via phone 013-28 17 44. Please write or speak English (or Swedish) when contacting us.

Responsible use of the university's IT resources

Students are required to follow the rules for using the IT resources at the university and sign an agreement to do so.

See the rules for use of IT resources at Linköping University (English version is available in PDF).

Antivirus programs

Antivirus programs have become less important as malware has become better at foiling them, but it is still a good idea to use one.

The IT Division recommends Microsoft’s antivirus program for use on a PC. It doesn’t receive the best rating in tests, but it is best in ensuring that other safety functions in the system are not compromised.

Security features in your LiU inbox

Safe Attachments

Safe Attachments searches for known and previously unknown threats in files that are attached to emails, and only lets the email through if attachments are assessed as safe. The search normally takes a few seconds, or, for large files, a few minutes. In exceptional cases it can take longer.

Safe Links

Links in emails are scanned for malicious links and content that is used in phishing and other attacks. If this type of content is found, it is blocked. Links will have a slightly different appearance; they will have an addition in the form of a prefix added to the original link: https://eur01.safelinks.protection.outlook.com/. This addition will cause the link to be searched by the security system.

Sometimes you may see a dialogue box, which says that the link is being scanned. If the link is OK, you will soon be able to use it. If there is a suspicion of phishing, you will be warned to not click on the contents. If there is a high likelihood of phishing, the link will be blocked. If you assess that this is not correct, contact the IT Helpdesk to deal with the issue.

Tips for good IT security

Passwords

Passwords are to be regarded as valuable information. For this reason, you must choose passwords carefully and think about how you use them. If a system has its own rules about passwords, these requirements have a higher priority that the general advice given here.

Never reveal your password to another person. No one should ask you for your password, not even the technical personnel at the university.

Do not use your LiU password at any other location than LiU.

10 useful tips

If you prefer to use a classic password, there are a number of things to think about.

1. Passwords must be sufficiently long. Nowadays, ten characters is a reasonable minimum length, but it is preferable to use at least fifteen characters.
    
2. Passwords must contain different types of character. Use at least one number, one special character (plus, minus, slash, full stop, etc.) and one uppercase letter. On the other hand, it is a good idea to avoid such characters as “å”, “ä”, “ö”, etc., which can cause problems on certain systems.
    
3. Do not use your username, name or other personal information as a password or even part of a password. It is far too easy to find such information.
    
4. Avoid words from dictionaries and the names of other people, places, countries, etc. People who try to crack password use long lists of common words and names from several languages.
    
5. A good way to create a password can be to make up a chant that is easy to remember. Then take the first letter of each word to make the password, and remember to use both uppercase and lowercase letters with some numbers and special characters. And the more childish and funny the chant, the easier it will be to remember it!
    
6. If you must use the same password on several systems, remember to never use the same password for secure or important systems as the one you use for insecure or unimportant ones. Never use your LiU password for services outside of LiU.
    
7. Avoid writing your password down. If you must, despite everything, do so, never write in the same place the password, username and identity of the system for which they are used. Remember that obvious places are poor places to store account information. For this reason you should store paper notes in secure places, and not under the keyboard or the top drawer of your desk.
    
8. Change password when necessary. If you suspect that your password has become known by anyone else, change it immediately. There is no real reason to change password regularly. The only reason may be to change to a password that is longer or easier to remember.
    
9. Never send a password by normal, unencrypted, email. There is a risk that it goes to the wrong recipient or that someone eavesdrops on it as it passes.
    
10. No one should ever ask for your password. This is the case for the IT Helpdesk and all other system personnel. If someone does ask: refuse to reveal your password and report the event immediately to the LiU IRT. See contact information at the top of this page.

Passphrases

It can be a good idea to use a passphrase as an alternative to a classical password. Passphrases are often easier to remember and easier to type in (despite being longer), while giving increased safety.

Passphrases consist of a number of randomly chosen words. As long as the words have been chosen truly randomly, numbers, special symbols or similar characters are not necessary.

There are around 6 x 10¹⁹ different passwords of length ten characters. If five words are chosen at random from a list of 10,000 words, 1020 possible passphrases can be formed – even if only lowercase letters are used.

A simple way of creating passphrases is to use diceware. A passphrase constructed using diceware should have at least six words. Se more information about Diceware at Wikipedia.

Phishing

Email has become the principal tool of cybercriminals. Linköping University is subject every day to attempts to steal information or commit fraud, and it nearly always starts with an email message.

Phishing is often clearly targeted

Attempting to trick someone into sharing sensitive information by sending them a fraudulent email is known as phishing. LiU is more or less constantly the target of phishing attempts. The attempts are often rather easy to see through, but co-workers and students sometimes receive extremely closely targeted attempts known as spearphishing. These can be extremely difficult to see through.

Be aware when reading email and be suspicious as soon as you are encouraged to visit a website and type in your username and password. The most common attempts are usually pretty obvious: They claim to have been sent by the IT Division, but use the wrong name for it (such as “Liu email team” or “IT Services”). They threaten, for example, that your account will be closed if you do not confirm it. Sometimes, however, a phishing attempt is made that is more difficult to see through. You may receive, for an example a message that says that new functions are available in LiU’s email system, and you can find out more by logging in. The phishing attempt then provides a helpful link, but this is not to the LiU website. It goes to a website with the same appearance that transmits everything you type into it to the criminals behind the phishing attempt.

File a case report with the LiU IRT group if you:

• have been the target of phishing that is in your opinion particularly convincing
• have been the target of attempted fraud, particularly if account numbers or other bank details have been sent to you
• have been the target of an attempt to spread malware that is in your opinion particularly convincing.

Contact information is available at the top of this page.