Executive Summary
If you haven’t already done so, please register an alternative (emergency) contact email address.
A good alternative email address will be something like a Gmail, Yahoo, TalkTalk, or any email account that is NOT a University of Oxford email address.
This link will take you straight to the page to register an alternative contact email address: https://register.it.ox.ac.uk/self/alternative_email
Why do I need to do this?
There has been a major increase in compromised accounts right across the University in the past few months. Here at Queen’s, we have received notification of 11 compromised accounts in the past month. This is not only annoying and time consuming for the account owner, but also very scary for them as they do not know what else may have been compromised. As you can imagine a compromised account is also very time consuming for the various IT staff across the whole University – centrally in IT Services and locally within Colleges and Departments. Each compromised account owner needs to be contacted quickly, and then taken through various steps to ensure the user is safe, that University and College data is safe, and that all devices associated with the account owner are safe to use and do not pose a threat for future attacks.
What happens when an account is compromised?
A compromised account could be actively exploited for several days or even weeks before it is discovered. Generally the account owner has no idea anything is wrong.
Once OxCERT (Oxford University Computer Emergency Response Team) has identified a compromised OXFORD SSO account they will disable it and reset the password. Depending on the type of compromise the REMOTE ACCESS account may also be disabled and password reset. This leaves the account owner completely cut off from the University.
With the SSO and REMOTE accounts both disabled the only method of contacting the affected account owner needs to be by an agreed alternative method. If there isn’t an agreed alternative address then there needs to be additional security checks to ensure that IT is talking to the real owner of the account. This is further complicated when the account owner is working from home or worse still they are overseas at the time.
What do I need to do?
Please register an alternative (emergency) contact email address here: https://register.it.ox.ac.uk/self/alternative_email
Registering an alternative email address means that IT can contact you in case of an email outage, and help you get back online as quickly as possible.