InfoSec Blasts from the Past

Every October, Boston University hosts an Information Security Awareness Week.  October is National Cyber-Security Awareness Month and institutions around the nation are all put out programs and sharing information about how to keep our computers, web accounts and information more secure.

One of the things we do during the our awareness week is to send out a series of emails called “Blasts” that highlight something important about information security that everyone should know.  Here are some of the messages from past years that contain information that is just as important today.

2013 Blasts

Spy Phones! Keeping your phone secure is more important than ever

BU Information Security Presents: Spy Phones! Keeping your phone secure is more important than ever.

Black Hat and DEFCON are two of the largest security expert and hacker conferences in the world.  This year many of the talks were about security vulnerabilities and newly discovered hacks for smartphones.

One group did research on a set of 650,000 phones and found that an average of one phone in every 1000 is compromised.  Almost half of the hacked phones were iPhones, even though Androids outnumber iPhones by 3 to 1.

There were several other talks describing how to turn a compromised phone into a spy phone, turning on the camera and microphone without the permission of the owner, stealing pictures, email messages and texts and learning everything there is to know about the owner of that phone.  Many celebrities have found themselves highly publicized victims of such hacks, but in this era of identity theft and financial fraud, the everyday person is just as susceptible.

What you can do to help protect your phone from being compromised:

  • Set up your phone securely.
    • This also helps protect you if you lose your phone  [youtube.com/watch?v=spaQGWasqHY]
    • At a minimum, put on a password and set your phone to lock after a few minutes.
    • For a good checklist, see: [ bu.edu/infosec/policies/security-hardening-of-ios/ ]
  • Never jailbreak your phone.
  • Always get your apps from the official app stores.  (We have seen a few counterfeits BU mobile apps available from non-official sources.)
  • Pay attention when an app update asks for a new permission.  The original app may have been tested for malware by the app store, but updates come straight from the author, not from the app store; this is a common way of compromising a phone.
  • Keep your phone updated.  When Apple or Android releases an updated version of their operating systems, make sure you back up your phone and then install the new version.

BU Information Security is working with a cross-disciplinary group to review the mobile device security policy and technical security requirements and capabilities for phones that may contain sensitive data entrusted to BU.  That group includes CRC and BUMC staff, CRC and BUMC teaching faculty, research faculty, and BU personnel that also work at Boston Medical Center.  More information will be coming later this year as a result of this review.

Tomorrow:  One click compromise.  Phishing is not always about getting your password – sometimes all they want is for you to click the link…

Best,

Quinn Shamblin, Executive Director of Information Security, Boston University

Get more great tips!  [ bu.edu/infosec/isaw/blasts/ ]

Follow me on twitter @BUInfoSec

(NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

One click compromise

BU Information Security Presents: One click compromise

Phishing is not always about getting your password – sometimes all they want is for you to click the link…

Most attempts to hack your computer, phone or tablet are related to one of two things:

  1. stealing your identity or financial information for the purpose of financial gain or
  2. compromising your computer so that it can be used by the bad guys as an extension of the network of computers they control (which often leads back to reason #1)

Take 30 seconds to view the amusing woes of Mike, who has been a victim of identity theft:
“I’m Mike” – [ youtube.com/watch?v=h_LSbm_RKHc ]

Most malicious software is installed automatically without your permission when you visit a website or click a link that hosts malicious software.  Those links are often sent to you by email or text messages.  These “phishing” messages are crafted by the bad guys to make you click a link.  They might promise a funny video or claim to be a receipt for products that you never bought or claim to be a security warning from your bank or credit card, etc.  Never click a link in an e-mail or text message, unless you know the sender and you were expecting the message.  (Just because it is from a friend, does not mean it’s a good message.  What if your friend’s account was hacked?)

While you should remain vigilant throughout the year for phishing messages, there is often an increase in these types of messages around the following events:

  • Holidays and other seasonal event including tax day and the start of a new semester.
  • Playing off of a well-known or publicized event.
  • In solicitations after a tragic event.
  • Unsolicited requests for confirmation of account credentials.

The URLs on this page were originally sent as regular text, not as a clickable links.  Your e-mail client may have made them clickable anyway.  It is best to get in the habit of looking at a URL to confirm if it is a place that you trust.  Then, paste it into your browser instead of clicking on it.

  • While we’re on the subject of identity theft, if you ever use public computers, be sure you log out before you leave them.   “Log Out for Computer Safety” – [ youtube.com/watch?v=x_gcCURLOZc th ]
    • If you use Facebook to sign into other sites, you are leaving more than just your FB account at risk when you forget to sign out.
    • Also, I don’t recommend that you do anything related to finances when you are on a public computer.
  • Speaking of computers that are easy to compromise: if you are still using Windows XP, you will soon lose access to support.  This means that Microsoft will not be providing any more updates or security patches for it after April 8, 2014.  Security experts believe that the bad guys are stockpiling hacks in gleeful anticipation of that date.

Tomorrow: Safe file sharing using BU Google Drive. The BU version of Google Drive has been approved for use for sharing many types of secure files, but it is important to set up security correctly!  This message will show you how.

Best,

Quinn Shamblin, Executive Director of Information Security, Boston University

Get more great tips!  [ bu.edu/infosec/isaw/blasts/ ]

Follow me on twitter @BUInfoSec

(NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

Safe file sharing using BU Google Drive

BU Information Security Presents:  Safe file sharing using BU Google Drive

Many faculty members and students have been embracing cloud technologies in order to more easily share files.  There are many sites and technologies out there to help meet this need, such as Google Drive, Box, DropBox, Microsoft SkyDrive, and others.  These solutions are very neat and provide some very nice capabilities; however, some of them have various security issues as well.

BU Information Security has worked with the University Registrar and we are happy to announce that the BU version of Google Drive has been approved for sharing many types of secure files.  BU has a contractual relationship with Google that provides many security protections that we do not enjoy with other services.

It is important to set up the security for BU Google Drive correctly.  By default Google Drive, any file upload will only be viewable by you, the account owner.   Many people will create a particular folder so that anyone who knows the link has access to that folder.  This setting makes sharing easier but this approach means there is really no security on those folders.

The proper way to set up security is to configure the folder with the e-mail addresses of the people who should have access to it, and only them.  This is not difficult to do.  Instructions on how to sign up for BU Google Drive, how to install it and how to configure security properly may be found at:

[ bu.edu/infosec/policies/google-drive-security/]

If you already have a BU Google Drive and just want to learn about how to set up security properly, you can jump straight there with this link: [ bu.edu/infosec/policies/google-drive-security/#GD%20Security ]

That’s all from me for this year’s Information Security Awareness Week.  I hope you’ve learned something interesting this week and can move forward a little more safely.

Tomorrow: Bank and credit card theft at ATMs. Financial fraud through skimming credit cards and ATM information is on the rise.  Learn a few things you can do to protect yourself.

Best,

Quinn Shamblin, Executive Director of Information Security, Boston University

Get more great tips!  [ bu.edu/infosec/isaw/blasts/ ]

Follow me on twitter @BUInfoSec

(NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

Bank and credit card theft at ATMs

BU Information Security Presents: Bank and credit card theft at ATMs

Financial fraud through skimming bank and credit card at ATM or gas pump locations is on the rise.

Card skimmers (very small devices designed to read a magnetic strip on a credit card and store the information for later retrieval) and small pinhole cameras can be built into a plastic cover, which can then be snapped onto an ATM or gas pump to steal card and PIN information.

Australian authorities have caught criminals using 3D printers to create card skimmers that perfectly blend with the ATM [ nakedsecurity.sophos.com/2013/08/16/aussie-atm-criminals-embrace-3d-printers-for-cashpoint-crimes/ ]

They put together this video to talk about ATM skimming and how to protect yourself

Fiscal the Fraud Fighting Ferret: Episode 3 – ATM Skimming

[ youtube.com/watch?v=gWY290MaeBg ]

A few good tips:

  • Wiggle the card entry point to see if it moves at all or if it feels solid.
  • Look for any small holes in the card entry point or the fascia above the screen that might be concealing a hidden camera.
  • Make sure that the key pad is secure and doesn’t wiggle before you enter your PIN (some criminals have been placing very thin false covers over key pads in order to record PINs)
  • Cover the hand you use to type in your PIN with, using your other hand or a piece of paper to prevent someone from watching or recording what you type.
  • Carefully check your bank and credit card statements
    • If you see small unexplained charges like a dollar or two, this may be someone testing to see whether the account information they have for you is working.
    • If you receive electronic statements, make sure they are the preprinted pdf type and not just a webpage.  There are some kinds of malware that will intercept a webpage and change what is printed on your screen to try to hide what has been stolen.

Thanks, and have a great year!

Quinn Shamblin, Executive Director of Information Security, Boston University

Get more great tips!  [ bu.edu/infosec/isaw/blasts/ ]

Follow me on twitter @BUInfoSec

(NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

    2012 Blasts

    Passwords

    BU Information Security Presents: Passwords

    –A few important words brought to you as part of Information Security Awareness Week

    I understand that many of you might think of passwords as being an old and tired discussion.  But passwords are still the most commonly used way we prove who we are, so we can access our stuff and keep other people out of it.  There have been some major hacks over the past few months; the implications of those hacks might change how you use passwords.  So, here are a few important things you need to know about them:

    • You need a password (or other authentication mechanism) and a strong one.

    We have all heard this, but many people still don’t have any authentication on their computer or phone.  For some advice on how to pick a password that is easy to remember, go to:  bu.edu/infosec/howtos/how-to-choose-a-password/

    • You need different passwords for different sites (or different types of sites).

    This is becoming just as important as having strong passwords.  In just the past few months, Yahoo, eHarmony, LinkedIn, last-FM, and a number of other gaming and web sites have all had large security breaches; hackers stole the passwords for many people on those sites.  This is a big deal because most people use the same password for a lot of different sites.  So, if one site is compromised and the hackers get your password, that password could let them in to other sites you use as well.  They will test that password on Facebook, Google, amazon, eBay, yahoo, all the big email providers, the web sites for every major bank and all the biggest credit cards, trying to find information or access that can be turned into cash.  For a first person account of this, read Mat Honan’s story which begins, “In the space of one hour, my entire digital life was destroyed.” (wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/)

    Think about using a password manager or a password segregation scheme.  For more on this, see bu.edu/today/2012/linkedin-hacking-what-you-need-to-know/

    • You need to change any password that came on your device by default.

    A lot of devices have Default passwords built in that you might not think about.  For example, if you have not changed the password on your wireless internet router at home, anyone can go in and mess with your router, see computers on your network, steal your bandwidth and more.  You need to change these to a strong password that only you know.

    If you haven’t reviewed last year’s messages, you should go check them out; refresh your memory on a few things.  Read them at:  bu.edu/infosec/isaw/blasts/

    Best regards,

    Quinn Shamblin, Executive Director of Information Security, Boston University
    bu.edu/infosec/

    (NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

    Keeping your stuff up to date

    BU Information Security Presents: Keeping your stuff up to date

    –A few important words brought to you as part of Information Security Awareness Week

    When a little window pops up on your computer telling you there is an update available for some piece of software or other, most people just sigh with exasperation and close the window.  “Don’t BOTHER me right now, I’ll do it later” is a pretty common reaction.  But those updates are there to keep you safe.

    Most of the time, those updates are being pushed out because someone has discovered a security hole with that software.  The update is what we call a “patch” for that hole.  Unpatched, these holes can allow a hacker to control or bypass the operating system of your computer.  That is one of the major goals of hackers: to control the system that holds your information.

    Keeping software up to date is important for all software. Anything can have an vulnerability, but it is crucial for Java, Flash, Acrobat (PDFs) and your operating system (Windows, Mac, or Linux, it doesn’t matter, they all have security flaws).  Java, Flash and PDFs are very common and run across multiple platforms.  This means that if a hacker can find a security whole in one of them, it doesn’t matter if the computer is Windows or Mac.  For context, there are more exploits designed to attack holes in PDFs than there are for all version of Windows combined.

    There is tremendous incentive to find security holes.  Criminal organizations routinely pay upwards of $100,000 for a single new exploit.   Almost every time you see a reminder to update, someone has found another one.  So, I know it can be a little annoying, but make sure to keep your stuff up to date!

    Best regards,

    Quinn Shamblin, Executive Director of Information Security, Boston University
    bu.edu/infosec/

    (NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

    My files are stored on a free cloud service, are they safe?

    BU Information Security Presents: My files are stored on a free cloud service, are they safe?

    –A few important words brought to you as part of Information Security Awareness Week

    Actually, files stored in the cloud are usually pretty safe.  In some ways those files are safer than those you have that are stored only on your laptop or mobile phone.  If your computer or phone is lost, stolen or damaged and it was the only place where your important files were kept, those files are gone.  If they were also stored in the cloud, you have a backup.  In fact, most cloud storage providers have strong redundancy and backup systems and losses of files stored with them are rare.  They are also a nice way to keep the files in one place and be able to access them from many devices and locations.

    However, there are a few other considerations, especially if you store files that are sensitive in any way.

    • Not all cloud services are equal. Some do a much better job with security, redundancy and internal control.  Review the terms of service carefully to understand what they are offering.  One thing to understand: however unlikely it may be, if the files you store on such a service are lost, you will likely have no recourse at all.  Those files will be gone and there will be nothing you can do about it.
      Recommendation: Never have your files in only one place; always keep a backup somewhere else as well.
    • Password reuse is a big problem. One of my earlier emails pointed out the dangers of using the same password for multiple sites.  That is just as important here.  If your password were compromised on some other site and hackers tried it out on your cloud provider, what files would they have access to?
      Recommendation: Use a password manager or some other approach so that any site with important information about you gets its own password.  For more on this and some recommendations, read:  bu.edu/today/2012/linkedin-hacking-what-you-need-to-know/
    • Others may be able to access your files. Even if you are careful to use a unique password for all your accounts, some other person might still be able to access your files in a variety of ways:
      • A security hole could be discovered and your files accessed before the company can install a fix,
      • An employee of the company could take it into his or her head to just start poking around, despite the company policy forbidding it,
      • The company could be subject to a court order and be compelled to provide access, etc.
      • The company might simply decide to delete your files.   It has happened:  In July of 2009, Amazon deleted George Orwell’s 1984 from every Kindle (define irony).  Story: nytimes.com/2009/07/18/technology/companies/18amazon.html

    For most of your files, it probably doesn’t matter very much if someone else sees them, but what about your financial records, medical history or personal photos?

    Recommendation 1: Be selective about what you choose to store in the cloud.  You need to assume that anything you upload can be accessed by someone else: you don’t have an expectation of privacy and certainly don’t have any legal protection if your files are accessed.  That said, you can do something about this by using…

    Recommendation 2: Encryption.  If you choose to store sensitive files in the cloud, consider encrypting those files so that only you can open them.  If you encrypt a file with a program like Truecrypt (truecrypt.org), the contents will be inaccessible to anyone who might get access to the files inappropriately.

    Some of the services that IS&T provides are through the cloud.  Where a cloud service has been provided by IS&T, we work to mitigate these risks.  In some cases, we are able to negotiate stronger protections and levels of service than you can get as an individual consumer.  We will always make it clear in the service description what the requirements, terms and limitations are for our services.  Sensitive University data should not be put on any consumer cloud service (sensitive data is anything protected by law like student grades and any financial or medical information).

    Best regards,

    Quinn Shamblin, Executive Director of Information Security, Boston University
    bu.edu/infosec/

    (NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

    Facebook and Google know everything about me, should I care?

    BU Information Security Presents: Facebook and Google know everything about me, should I care?

    –A few important words brought to you as part of Information Security Awareness Week

    Humans are social creatures and we now have services at our fingertips that allow us to be more connected than ever before in history.  Facebook, Google, YouTube, Twitter, FourSquare, GetGlue, Spotify, and many other popular services collect information about us, our interests, activities, preferences, location, viewing/listening habits, and almost anything else and allow us to share that information with others.

    There are lots of very cool free services out there that leverage all this information.  But as the saying goes, if you cannot see what product is being sold, you are the product.  Sites like this are usually funded through advertising.  For example, Google uses keyword information from Gmail, your search history and YouTube viewing history to create a profile of your interests.  This benefits you by making search results better and making you aware of goods and services that are likely to be of interest to you based on that profile; you will have to wade through less to find something you want.  It benefits the advertisers by showing their ads only to people likely to be interested, thereby improving the value per advertising dollar spent.

    But there is another side that you need to be aware of.  Information from these services can be used in ways that may not have been originally considered or intended, especially when multiple sources are combined.  A number of very revealing stories have come out over the past few years.  If you haven’t heard of these, they are worth a few minutes to read.

    • “Is a badge on Foursquare worth your life?”  Due to Geotagging, if a Soldier uploads a photo taken on his or her smartphone to Facebook, they could broadcast the exact location of his or her unit.
      Story:  army.mil/article/75165/Geotagging_poses_security_risks/
    • FaceDeals:  This is a new service that uses the facial recognition capability of Facebook to scan your face when you walk into a store and send store discounts straight to your phone.  Cool, but also a bit scary.  This means that Facebook can track your physical location through a camera and sell that information to anyone they wish.
      Story:  nakedsecurity.sophos.com/2012/08/14/new-facebook-app-facedeals-scans-your-face-to-offer-you-deals/
    • Please Rob Me:  Pleaserobme.com looked at tweets from people who are also using location-based services telling the world that they’re out of town, and told the world where to go to rob their house.  The site was designed to raise awareness of the risks of posting information that you might not think of as sensitive, like your home address (on Facebook) and your current location (on Twitter or Foursquare).  The operators of the site shut it down after making their point.

    Don’t take this as a condemnation of all those cool sites and services out there.  Take advantage of them.  Just be aware of what information they are collecting and make smart choices about what you share and how.

    Surf safe!

    Quinn Shamblin, Executive Director of Information Security, Boston University
    bu.edu/infosec/

    (NOTE:  Links in this message were sent as non-clickable clear text so you can see exactly where they are sending you and confirm that the destination is one you can trust.  If your email client made the link clickable (many do), you should still get into the habit of not clicking any email links, but copying and pasting them into your browser after confirming they are really where you want to go.)

    2011 Blasts

    Phishing

    BU Information Security Presents: Phishing

     

    –A few important words brought to you as part of Information Security Awareness Week

    Most people think they know about spam and phishing, yet every day someone at Boston University falls for a common email scam and has their account compromised.  Here are a few simple tips to avoid being hooked by a phisher:

    1. If the email asks for your password, it is a scam.  Delete it.
    2. If the email is about a financial account you don’t have or an order that you don’t know anything about, it is almost certainly a scam.
    3. If you feel you must check out something sent to you in email DON’T CLICK THE LINK.  It is completely possible to make a link lie to you.   Instead, use your browser to go to the known and trusted website by typing in the URL/Web Address yourself.For example, take this link:  http;//www.google.com/If you click this, it will not take you to Google, it will take you somewhere completely different.  Scammers use this trick all the time to trick you to going to malicious websites.
    4. You can tell where a link is going to take you by hovering over it with your mouse.  Don’t click.  Hover.  If you do this for the link above you will see yahoo pop up in a box by your pointer or in a space at the bottom of your email client or browser.  General rule: if the email message is lying to you about where it wants to send you, it is a scam.
    5. Forward scam emails to abuse@bu.edu and then delete them. If in doubt, call the IT Help Desk (Charles River Campus (617) 353-4357, Medical Campus (617) 638-5914).

    For more information visit:  http://www.bu.edu/infosec/howtos/fight-phishing/

    (The above link was sent in clear text and is pointing to a domain you trust, bu.edu.  But if your email client made the link clickable, you should still get into the habit of not clicking it, but copying and pasting the link into your browser.)

    Warm regards and safe emailing,

    Quinn Shamblin, Executive Director of Information Security, Boston University

    Mobile phone security and what to do if you lose your phone

    BU Information Security Presents: Mobile phone security and what to do if you lose your phone

    –A few important words brought to you as part of Information Security Awareness Week

    Modern smart phones are computers, in every way that counts.  And you typically have them set up to automatically access your email and other apps that may contain sensitive information about you, your family, friends or business contacts.  All that power—all that access—sits in the palm of your hand in a device that is very easy to lose.  There are a few simple things you can do to help protect it:

    1. Put a password/code/pattern on it and set it to automatically lock after 5 minutes.  It might be a little annoying at first, but it’s important and you’ll get used to it quickly.  For a bit of a laugh:  youtube.com/watch?v=spaQGWasqHY
    2. Get an anti-virus program installed.  Yes, anti-virus for your smart phone.  Remember these are computers, and they are almost completely unprotected.  The hackers know this and are putting a lot of attention on it.  Here is a good free AV product:  mylookout.com
    3. If you lose your phone, don’t have it disconnected until you call the IS&T Help Center.  If your phone is set up to pull your email from BU Exchange, you can request that we wipe the phone in the event that the phone is lost.  This way no one can get to any private information on that phone.  But we can’t do this if you have the service disconnected before talking to us.

    For more information visit:  bu.edu/infosec/howtos/smartphone-security-measures/

    and bu.edu/infosec/policies/security-hardening-of-ios/

    (The above links were sent in clear text and are pointing to a domain you trust, bu.edu.  But if your email client made them clickable, you should still get into the habit of copying and pasting them into your browser instead of clicking.)

    Warm regards and safe phoning,

    Quinn Shamblin, Executive Director of Information Security, Boston University

    A couple easy tips to protect your computer

    BU Information Security Presents: A couple easy tips to protect your computer

     

     

    –A few important words brought to you as part of Information Security Awareness Week

    You may have heard these tips before, but they work!  Every day the IT Help Center at BU fixes problems that might have been avoided if the person had followed these simple steps:

    • Make sure your computer and the software on your computer gets updates automatically.  Yeah, it’s a little annoying, but almost all those updates are to fix security vulnerabilities that someone found and that are actively being exploited.
    • Get anti-malware software.  Even if you have a Mac, GET ANTI-MALWARE.  Every year for the past 5 years, Mac’s were the first computers to get hacked into during a popular international hacker competition.  One year it only took 13 seconds.
    • Never give out your password to anyone.
    • Regularly back up your important files.  If the worst happens and you have to completely reinstall your computer, at least you will still have all your files.
    • Don’t use an administrative account as your normal account.
      For details of what this means and how to fix it, see:  bu.edu/infosec/howtos/how-to-create-an-admin-account/

    For more information visit:  bu.edu/infosec/howtos/how-to-lock-your-computer/

    (The above link was sent in clear text and is pointing to a domain you trust, bu.edu.  But if your email client made the link clickable, you should still get into the habit of copying and pasting the link into your browser.)

    Warm regards and safe computing,

    Quinn Shamblin, Executive Director of Information Security, Boston University

    Securing your iPad

    BU Information Security Presents: Securing your iPad

     

    –A few important words brought to you as part of Information Security Awareness Week

    iPads and iPhones are so popular that we felt they needed their own message.  The security on these products is really quite good, but only IF you make sure the password is set and the device is set to lock after a few minutes of not being used.  If you don’t set the password, nothing is encrypted and the protections are significantly lower.

    To properly secure and iPhone or iPad, you should:

    1. Require a passcode to access the device
    2. Set auto-lock timeout to lock your device after a short period of non-use, 5 minutes or so
    3. Disable grace period for lock or set it to a low value like 2 minutes
    4. Set the system to erase your data if someone tries to break in by entering the wrong passcode 10 time in a row
    5. Consider activating “FindMyPhone” on your device.  This allows you to see where your phone is if you lose it and can even allow you to remotely wipe the data from it if you need to do so.  For details, see:  apple.com/iphone/built-in-apps/find-my-iphone.html

    For details on how to do these things, visit:  bu.edu/infosec/policies/security-hardening-of-ios/

    (The above link was sent in clear text and is pointing to a domain you trust, bu.edu.  But if your email client made the link clickable, you should still get into the habit of copying and pasting the link into your browser.)

    Warm regards and safe computing,

    Quinn Shamblin, Executive Director of Information Security, Boston University