2014 Blasts
Security Breaches
BU Information Security Presents: Security Breaches
Security Breaches. What to do when your favorite store or site gets hacked.
Security breaches are becoming more and more common. Recently JP Morgan, Home Depot, Goodwill, and Google have been in the news for security breaches. It is important for you to know what you should do in the event that a store where you have shopped has a security breach. If credit card information has been stolen from the store, monitor your credit card statement and your credit report. You can get one free credit report from each of the three main agencies every year by going to www.annualcreditreport.com. Keeping an eye on these reports can help you detect if your identity or one of your financial accounts is being used fraudulently.
If you have an account with a website that has been breached, you need to change that password. If you have used that same password on any other site, change it there, too. Always make sure you understand what information you are giving to these companies and think about what it might mean if the site is hacked. This includes posting pictures and other personal information. We keep hearing about celebrity photos being stolen from online accounts – what do you have online? What if Facebook were hacked tomorrow?
Password management is increasingly crucial. Don’t use your BU password anywhere else. Same for your email; don’t use that password anywhere else. In fact, it is best to use a different password for every account; that way if one website becomes compromised, it won’t impact others. The easiest way to do this is to use a password management tool, which allows you to remember one password and automatically keeps track of all your other passwords for you. Links to some of these password management tools are listed below.
A list of recent data breaches: [ databreachtoday.com/news ]
How to pick a good password: [ bu.edu/infosec/howtos/how-to-choose-a-password/ ]
Some respected password management tools:
LastPass [ lastpass.com ]
1Password [ agilebits.com/onepassword ]
Tomorrow: Harden your accounts against hackers. Make it so that there is more than just a password between the bad guys and your sensitive stuff.
Best,
Quinn Shamblin, Executive Director of Information Security, Boston University
Harden your accounts against hackers
BU Information Security Presents:
Harden your accounts against hackers. Two factor protection is now offered on many websites (Google, Facebook, more) and at BU. This makes it so that there is more than just a password between the bad guys and your sensitive stuff.
The plethora of hacked web account stories over the last year prompts me to talk about how you can better protect your information on many sites you use every day. It is something called two-factor (or multi-factor) authentication. Two-factor authentication adds another layer of confirmation in addition to your password. When you have this enabled, a message will be sent to your smart phone to confirm it is really you trying to log in. If a hacker tries to access your account, he or she will not have your phone and so cannot get in.
Many popular sites and services now offer two-factor protection: Google, Facebook, Twitter, Apple, Microsoft, and many others.
Boston University also has two-factor protection for users of BUworks. We use Duo Security to provide strong protections for your salary and benefits information. BU staff have been on Duo for several weeks; Faculty and Student Employees are planned to be added to the system on October 14.
One nice thing about the Duo Security App is that it can be used for two-factor at BU and for all the other online services I talked about—a one-stop solution instead of needing multiple apps.
Two-Factor Authentication from:
• Microsoft [ windows.microsoft.com/en-us/windows/two-step-verification-faq ]
• Apple [ support.apple.com/kb/ht5570 ]
• Google [ google.com/landing/2step/ ]
• BU [ bu.edu/tech/duo/ ]
Tomorrow: Facebook Messenger App. Time to freak out?
Best,
Quinn Shamblin, Executive Director of Information Security, Boston University
Facebook Messanger App
BU Information Security Presents:
Facebook Messenger App. No need to freak out.
There was a lot of conversation a few weeks ago about the Facebook Messenger App. I was glad to see the conversation. We need to understand any possible risks an app might bring. What if the new game you download asks for access to your BU email? It may contain graded school work, and all sorts of personal information, plus your email can often be used to reset passwords to other websites. If that app is run by someone malicious, who knows what they might do. Android phones generally do better at informing you about what permissions an app has requested than iPhones do, but they do so when an app is first installed. This is what led to the concern about Facebook Messenger. The permissions said that the app needed access to the phone’s camera, when people were used to just IMing.
Facebook came under fire when people thought that the Messenger app asked for too much access: to the camera, the microphone, and contacts list. What people are concerned about is that Messenger might do so at any time without further permissions or even you even knowing. The issue is that phone operating systems do not ask your permission when an app wants to do something the first time; if they ask at all, they usually do so only at install. A well-written app will often confirm with you permission to do something the first time it would like to do it and in fact this happens with Messenger: “Can I use your location information?” The Messenger app has legitimate need for access to your camera and microphone as it now includes a function like Skype or FaceTime and it needs your contact list so it can tell you who is calling or allow you to call easily.
For more, visit:
[ facebook.com/messengerfacts ]
[ nakedsecurity.sophos.com/2014/08/29/facebook-wants-you-to-know-that-messenger-is-not-spying-on-you/ ]
But this does highlight the importance of understanding what an app does and why it might need access to some kinds of information. Read the fine print in the terms and conditions before you accept them to understand what permissions you are giving the app. Read reviews of the device and only download apps from reputable sources (iTunes, Google Play, etc.)
Tomorrow: Protecting your phone and computer in case it is stolen. A few simple steps to make sure thieves can only steal your device, not your pictures, your money or your identity.
Best,
Quinn Shamblin, Executive Director of Information Security, Boston University
Protecting your phone and computer in case it is stolen
BU Information Security Presents:
Protecting your phone and computer in case it is stolen. A few simple steps to make sure thieves can only steal your device, not your pictures, your money or your identity.
Protecting your smartphones, tablets, and laptops is crucial. These devices hold a world of information about you – information that could lead to embarrassment, theft of money, or even identity fraud if it falls into the wrong hands. The number of stolen devices each year is continually on the rise, so here are a few simple things you can do to significantly reduce your risk if your device is stolen:
1. Put a password, passcode, or screen swipe pattern on the device. While it may be a little more annoying to put in a code when you pull out your phone or boot up your computer, security is impossible without this step.
2. Encrypt your device and computer. (A password is not encryption, it is just a lock on the front door) If an encrypted device is stolen, the thieves have only taken the device itself – they cannot also steal your pictures, your banking information, or your identity. ]
A few important points:
• Be sure to back up your files before you encrypt. It usually goes through with no issue, but it is best to make sure your stuff is going to be OK if there is some rare issue.
• It takes a little time to do the encryption the first time, but after that is done, you should see no appreciable performance difference.
• If you encrypt, be sure you write down the unlock key, just in case!!!
How to encrypt
Information on how to encrypt your particular device is readily available online. Review it in detail before you begin, but here is some information to get you started:
• For iPhones, encryption is enabled automatically (and instantly) when you set up a passcode in Settings > Passcode
• Android phones navigate to: Settings > Security
• For PCs with Windows 8, windows 7 ultimate or enterprise go to:
Start > Control Panel > BitLocker Drive Encryption
[ technet.microsoft.com/en-us/library/dd835565%28v=ws.10%29.aspx ]
• For MACs with OS X choose, go to:
Apple menu > system Preference > Security & Privacy > FileVault
[ support.apple.com/kb/HT4790 ]
Thanks, and have a great year!
Quinn Shamblin, Executive Director of Information Security, Boston University
2013 Blasts
Spy Phones! Keeping your phone secure is more important than ever
BU Information Security Presents: Spy Phones! Keeping your phone secure is more important than ever.
Black Hat and DEFCON are two of the largest security expert and hacker conferences in the world. This year many of the talks were about security vulnerabilities and newly discovered hacks for smartphones.
One group did research on a set of 650,000 phones and found that an average of one phone in every 1000 is compromised. Almost half of the hacked phones were iPhones, even though Androids outnumber iPhones by 3 to 1.
There were several other talks describing how to turn a compromised phone into a spy phone, turning on the camera and microphone without the permission of the owner, stealing pictures, email messages and texts and learning everything there is to know about the owner of that phone. Many celebrities have found themselves highly publicized victims of such hacks, but in this era of identity theft and financial fraud, the everyday person is just as susceptible.
What you can do to help protect your phone from being compromised:
– Set up your phone securely.
— This also helps protect you if you lose your phone [youtube.com/watch?v=spaQGWasqHY]
— At a minimum, put on a password and set your phone to lock after a few minutes.
— For a good checklist, see: [ bu.edu/infosec/policies/security-hardening-of-ios/ ]
– Never jailbreak your phone.
– Always get your apps from the official app stores. (We have seen a few counterfeits BU mobile apps available from non-official sources.)
– Pay attention when an app update asks for a new permission. The original app may have been tested for malware by the app store, but updates come straight from the author, not from the app store; this is a common way of compromising a phone.
– Keep your phone updated. When Apple or Android releases an updated version of their operating systems, make sure you back up your phone and then install the new version.
BU Information Security is working with a cross-disciplinary group to review the mobile device security policy and technical security requirements and capabilities for phones that may contain sensitive data entrusted to BU. That group includes CRC and BUMC staff, CRC and BUMC teaching faculty, research faculty, and BU personnel that also work at Boston Medical Center. More information will be coming later this year as a result of this review.
Tomorrow: One click compromise. Phishing is not always about getting your password – sometimes all they want is for you to click the link…
Best,
Quinn Shamblin, Executive Director of Information Security, Boston University
One click compromise
BU Information Security Presents: One click compromise
Phishing is not always about getting your password – sometimes all they want is for you to click the link…
Most attempts to hack your computer, phone or tablet are related to one of two things:
1. stealing your identity or financial information for the purpose of financial gain or
2. compromising your computer so that it can be used by the bad guys as an extension of the network of computers they control (which often leads back to reason #1)
Take 30 seconds to view the amusing woes of Mike, who has been a victim of identity theft:
“I’m Mike” – [ youtube.com/watch?v=h_LSbm_RKHc ]
Most malicious software is installed automatically without your permission when you visit a website or click a link that hosts malicious software. Those links are often sent to you by email or text messages. These “phishing” messages are crafted by the bad guys to make you click a link. They might promise a funny video or claim to be a receipt for products that you never bought or claim to be a security warning from your bank or credit card, etc. Never click a link in an e-mail or text message, unless you know the sender and you were expecting the message. (Just because it is from a friend, does not mean it’s a good message. What if your friend’s account was hacked?)
While you should remain vigilant throughout the year for phishing messages, there is often an increase in these types of messages around the following events:
– Holidays and other seasonal event including tax day and the start of a new semester.
– Playing off of a well-known or publicized event.
– In solicitations after a tragic event.
– Unsolicited requests for confirmation of account credentials.
The URLs on this page were originally sent as regular text, not as a clickable links. Your e-mail client may have made them clickable anyway. It is best to get in the habit of looking at a URL to confirm if it is a place that you trust. Then, paste it into your browser instead of clicking on it.
– While we’re on the subject of identity theft, if you ever use public computers, be sure you log out before you leave them. “Log Out for Computer Safety” – [ youtube.com/watch?v=x_gcCURLOZc th ]
— If you use Facebook to sign into other sites, you are leaving more than just your FB account at risk when you forget to sign out.
— Also, I don’t recommend that you do anything related to finances when you are on a public computer.
– Speaking of computers that are easy to compromise: if you are still using Windows XP, you will soon lose access to support. This means that Microsoft will not be providing any more updates or security patches for it after April 8, 2014. Security experts believe that the bad guys are stockpiling hacks in gleeful anticipation of that date.
Tomorrow: Safe file sharing using BU Google Drive. The BU version of Google Drive has been approved for use for sharing many types of secure files, but it is important to set up security correctly! This message will show you how.
Best,
Quinn Shamblin, Executive Director of Information Security, Boston University
Safe file sharing using BU Google Drive
BU Information Security Presents: Safe file sharing using BU Google Drive
Many faculty members and students have been embracing cloud technologies in order to more easily share files. There are many sites and technologies out there to help meet this need, such as Google Drive, Box, DropBox, Microsoft SkyDrive, and others. These solutions are very neat and provide some very nice capabilities; however, some of them have various security issues as well.
BU Information Security has worked with the University Registrar and we are happy to announce that the BU version of Google Drive has been approved for sharing many types of secure files. BU has a contractual relationship with Google that provides many security protections that we do not enjoy with other services.
It is important to set up the security for BU Google Drive correctly. By default Google Drive, any file upload will only be viewable by you, the account owner. Many people will create a particular folder so that anyone who knows the link has access to that folder. This setting makes sharing easier but this approach means there is really no security on those folders.
The proper way to set up security is to configure the folder with the e-mail addresses of the people who should have access to it, and only them. This is not difficult to do. Instructions on how to sign up for BU Google Drive, how to install it and how to configure security properly may be found at:
[ bu.edu/infosec/policies/google-drive-security/]
If you already have a BU Google Drive and just want to learn about how to set up security properly, you can jump straight there with this link: [ bu.edu/infosec/policies/google-drive-security/#GD%20Security ]
That’s all from me for this year’s Information Security Awareness Week. I hope you’ve learned something interesting this week and can move forward a little more safely.
Tomorrow: Bank and credit card theft at ATMs. Financial fraud through skimming credit cards and ATM information is on the rise. Learn a few things you can do to protect yourself.
Best,
Quinn Shamblin, Executive Director of Information Security, Boston University
Bank and credit card theft at ATMs
BU Information Security Presents: Bank and credit card theft at ATMs
Financial fraud through skimming bank and credit card at ATM or gas pump locations is on the rise.
Card skimmers (very small devices designed to read a magnetic strip on a credit card and store the information for later retrieval) and small pinhole cameras can be built into a plastic cover, which can then be snapped onto an ATM or gas pump to steal card and PIN information.
Australian authorities have caught criminals using 3D printers to create card skimmers that perfectly blend with the ATM [ nakedsecurity.sophos.com/2013/08/16/aussie-atm-criminals-embrace-3d-printers-for-cashpoint-crimes/ ]
They put together this video to talk about ATM skimming and how to protect yourself
Fiscal the Fraud Fighting Ferret: Episode 3 – ATM Skimming
[ youtube.com/watch?v=gWY290MaeBg ]
A few good tips:
– Wiggle the card entry point to see if it moves at all or if it feels solid.
– Look for any small holes in the card entry point or the fascia above the screen that might be concealing a hidden camera.
– Make sure that the key pad is secure and doesn’t wiggle before you enter your PIN (some criminals have been placing very thin false covers over key pads in order to record PINs)
– Cover the hand you use to type in your PIN with, using your other hand or a piece of paper to prevent someone from watching or recording what you type.
– Carefully check your bank and credit card statements
— If you see small unexplained charges like a dollar or two, this may be someone testing to see whether the account information they have for you is working.
— If you receive electronic statements, make sure they are the preprinted pdf type and not just a webpage. There are some kinds of malware that will intercept a webpage and change what is printed on your screen to try to hide what has been stolen.
Thanks, and have a great year!
Quinn Shamblin, Executive Director of Information Security, Boston University
2012 Blasts
Passwords
BU Information Security Presents: Passwords
–A few important words brought to you as part of Information Security Awareness Week
I understand that many of you might think of passwords as being an old and tired discussion. But passwords are still the most commonly used way we prove who we are, so we can access our stuff and keep other people out of it. There have been some major hacks over the past few months; the implications of those hacks might change how you use passwords. So, here are a few important things you need to know about them:
– You need a password (or other authentication mechanism) and a strong one.
We have all heard this, but many people still don’t have any authentication on their computer or phone. For some advice on how to pick a password that is easy to remember, go to: bu.edu/infosec/howtos/how-to-choose-a-password/
– You need different passwords for different sites (or different types of sites).
This is becoming just as important as having strong passwords. In just the past few months, Yahoo, eHarmony, LinkedIn, last-FM, and a number of other gaming and web sites have all had large security breaches; hackers stole the passwords for many people on those sites. This is a big deal because most people use the same password for a lot of different sites. So, if one site is compromised and the hackers get your password, that password could let them in to other sites you use as well. They will test that password on Facebook, Google, amazon, eBay, yahoo, all the big email providers, the web sites for every major bank and all the biggest credit cards, trying to find information or access that can be turned into cash. For a first person account of this, read Mat Honan’s story which begins, “In the space of one hour, my entire digital life was destroyed.” (wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/)
Think about using a password manager or a password segregation scheme. For more on this, see bu.edu/today/2012/linkedin-hacking-what-you-need-to-know/
– You need to change any password that came on your device by default.
A lot of devices have Default passwords built in that you might not think about. For example, if you have not changed the password on your wireless internet router at home, anyone can go in and mess with your router, see computers on your network, steal your bandwidth and more. You need to change these to a strong password that only you know.
If you haven’t reviewed last year’s messages, you should go check them out; refresh your memory on a few things. Read them at: bu.edu/infosec/isaw/blasts/
Best regards,
Quinn Shamblin, Executive Director of Information Security, Boston University
bu.edu/infosec/
Keeping your stuff up to date
BU Information Security Presents: Keeping your stuff up to date
–A few important words brought to you as part of Information Security Awareness Week
When a little window pops up on your computer telling you there is an update available for some piece of software or other, most people just sigh with exasperation and close the window. “Don’t BOTHER me right now, I’ll do it later” is a pretty common reaction. But those updates are there to keep you safe.
Most of the time, those updates are being pushed out because someone has discovered a security hole with that software. The update is what we call a “patch” for that hole. Unpatched, these holes can allow a hacker to control or bypass the operating system of your computer. That is one of the major goals of hackers: to control the system that holds your information.
Keeping software up to date is important for all software. Anything can have an vulnerability, but it is crucial for Java, Flash, Acrobat (PDFs) and your operating system (Windows, Mac, or Linux, it doesn’t matter, they all have security flaws). Java, Flash and PDFs are very common and run across multiple platforms. This means that if a hacker can find a security whole in one of them, it doesn’t matter if the computer is Windows or Mac. For context, there are more exploits designed to attack holes in PDFs than there are for all version of Windows combined.
There is tremendous incentive to find security holes. Criminal organizations routinely pay upwards of $100,000 for a single new exploit. Almost every time you see a reminder to update, someone has found another one. So, I know it can be a little annoying, but make sure to keep your stuff up to date!
Best regards,
Quinn Shamblin, Executive Director of Information Security, Boston University
bu.edu/infosec/
My files are stored on a free cloud service, are they safe?
BU Information Security Presents: My files are stored on a free cloud service, are they safe?
–A few important words brought to you as part of Information Security Awareness Week
Actually, files stored in the cloud are usually pretty safe. In some ways those files are safer than those you have that are stored only on your laptop or mobile phone. If your computer or phone is lost, stolen or damaged and it was the only place where your important files were kept, those files are gone. If they were also stored in the cloud, you have a backup. In fact, most cloud storage providers have strong redundancy and backup systems and losses of files stored with them are rare. They are also a nice way to keep the files in one place and be able to access them from many devices and locations.
However, there are a few other considerations, especially if you store files that are sensitive in any way.
– Not all cloud services are equal. Some do a much better job with security, redundancy and internal control. Review the terms of service carefully to understand what they are offering. One thing to understand: however unlikely it may be, if the files you store on such a service are lost, you will likely have no recourse at all. Those files will be gone and there will be nothing you can do about it.
Recommendation: Never have your files in only one place; always keep a backup somewhere else as well.
– Password reuse is a big problem. One of my earlier emails pointed out the dangers of using the same password for multiple sites. That is just as important here. If your password were compromised on some other site and hackers tried it out on your cloud provider, what files would they have access to?
Recommendation: Use a password manager or some other approach so that any site with important information about you gets its own password. For more on this and some recommendations, read: bu.edu/today/2012/linkedin-hacking-what-you-need-to-know/
– Others may be able to access your files. Even if you are careful to use a unique password for all your accounts, some other person might still be able to access your files in a variety of ways:
— A security hole could be discovered and your files accessed before the company can install a fix,
— An employee of the company could take it into his or her head to just start poking around, despite the company policy forbidding it,
— The company could be subject to a court order and be compelled to provide access, etc.
— The company might simply decide to delete your files. It has happened: In July of 2009, Amazon deleted George Orwell’s 1984 from every Kindle (define irony). Story: nytimes.com/2009/07/18/technology/companies/18amazon.html
For most of your files, it probably doesn’t matter very much if someone else sees them, but what about your financial records, medical history or personal photos?
Recommendation 1: Be selective about what you choose to store in the cloud. You need to assume that anything you upload can be accessed by someone else: you don’t have an expectation of privacy and certainly don’t have any legal protection if your files are accessed. That said, you can do something about this by using…
Recommendation 2: Encryption. If you choose to store sensitive files in the cloud, consider encrypting those files so that only you can open them. If you encrypt a file with a program like Truecrypt (truecrypt.org), the contents will be inaccessible to anyone who might get access to the files inappropriately.
Some of the services that IS&T provides are through the cloud. Where a cloud service has been provided by IS&T, we work to mitigate these risks. In some cases, we are able to negotiate stronger protections and levels of service than you can get as an individual consumer. We will always make it clear in the service description what the requirements, terms and limitations are for our services. Sensitive University data should not be put on any consumer cloud service (sensitive data is anything protected by law like student grades and any financial or medical information).
Best regards,
Quinn Shamblin, Executive Director of Information Security, Boston University
bu.edu/infosec/
Facebook and Google know everything about me, should I care?
BU Information Security Presents: Facebook and Google know everything about me, should I care?
–A few important words brought to you as part of Information Security Awareness Week
Humans are social creatures and we now have services at our fingertips that allow us to be more connected than ever before in history. Facebook, Google, YouTube, Twitter, FourSquare, GetGlue, Spotify, and many other popular services collect information about us, our interests, activities, preferences, location, viewing/listening habits, and almost anything else and allow us to share that information with others.
There are lots of very cool free services out there that leverage all this information. But as the saying goes, if you cannot see what product is being sold, you are the product. Sites like this are usually funded through advertising. For example, Google uses keyword information from Gmail, your search history and YouTube viewing history to create a profile of your interests. This benefits you by making search results better and making you aware of goods and services that are likely to be of interest to you based on that profile; you will have to wade through less to find something you want. It benefits the advertisers by showing their ads only to people likely to be interested, thereby improving the value per advertising dollar spent.
But there is another side that you need to be aware of. Information from these services can be used in ways that may not have been originally considered or intended, especially when multiple sources are combined. A number of very revealing stories have come out over the past few years. If you haven’t heard of these, they are worth a few minutes to read.
– “Is a badge on Foursquare worth your life?” Due to Geotagging, if a Soldier uploads a photo taken on his or her smartphone to Facebook, they could broadcast the exact location of his or her unit.
Story: army.mil/article/75165/Geotagging_poses_security_risks/
– FaceDeals: This is a new service that uses the facial recognition capability of Facebook to scan your face when you walk into a store and send store discounts straight to your phone. Cool, but also a bit scary. This means that Facebook can track your physical location through a camera and sell that information to anyone they wish.
Story: nakedsecurity.sophos.com/2012/08/14/new-facebook-app-facedeals-scans-your-face-to-offer-you-deals/
– Please Rob Me: Pleaserobme.com looked at tweets from people who are also using location-based services telling the world that they’re out of town, and told the world where to go to rob their house. The site was designed to raise awareness of the risks of posting information that you might not think of as sensitive, like your home address (on Facebook) and your current location (on Twitter or Foursquare). The operators of the site shut it down after making their point.
Don’t take this as a condemnation of all those cool sites and services out there. Take advantage of them. Just be aware of what information they are collecting and make smart choices about what you share and how.
Surf safe!
Quinn Shamblin, Executive Director of Information Security, Boston University
bu.edu/infosec/
2011 Blasts
Phishing
–A few important words brought to you as part of Information Security Awareness Week
Warm regards and safe emailing,
Quinn Shamblin, Executive Director of Information Security, Boston University
Mobile phone security and what to do if you lose your phone
–A few important words brought to you as part of Information Security Awareness Week
and bu.edu/infosec/policies/security-hardening-of-ios/
Warm regards and safe phoning,
Quinn Shamblin, Executive Director of Information Security, Boston University
A couple easy tips to protect your computer
–A few important words brought to you as part of Information Security Awareness Week
Warm regards and safe computing,
Securing your iPad
–A few important words brought to you as part of Information Security Awareness Week
To properly secure and iPhone or iPad, you should:
Warm regards and safe computing,