{"id":99996,"date":"2016-07-15T15:22:29","date_gmt":"2016-07-15T19:22:29","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=99996"},"modified":"2016-09-30T14:36:35","modified_gmt":"2016-09-30T18:36:35","slug":"security-tips","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/support\/information-security\/cam\/archives\/communications\/security-tips\/","title":{"rendered":"Security Tips"},"content":{"rendered":"<p><xmlns:texthelpns rwthpgen=\"1\">Every October, Boston University hosts an Information Security Awareness Week.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> \u00a0October is <\/xmlns:texthelpns><a href=\"http:\/\/www.staysafeonline.org\/ncsam\/\">National Cyber-Security Awareness Month<\/a><xmlns:texthelpns rwthpgen=\"1\"> and institutions around the nation are all put out programs and sharing information about how to keep our computers, web accounts and information more secure.<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">One of the things we do during the our awareness week is to send out a series of emails called &#8220;Blasts&#8221; that highlight something important about information security that everyone should know.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Here are some of the messages from past years that contain information that is just as important today.<\/xmlns:texthelpns><\/p>\n<ul>\n<li><a href=\"#2014 Blasts\">2014 Blasts<\/a><\/li>\n<li><a href=\"#2013 Blasts\">2013 Blasts<\/a><\/li>\n<li><a href=\"#2012 Blasts\">2012 Blasts<\/a><\/li>\n<li><a href=\"#2011 Blasts\">2011 Blasts<\/a><\/li>\n<\/ul>\n<h2>2014 Blasts<\/h2>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Security Breaches<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><strong>BU Information Security Presents:\u00a0 Security Breaches<\/strong><\/p>\n<p><strong>Security Breaches.<\/strong>\u00a0 What to do when your favorite store or site gets hacked.<\/p>\n<p>Security breaches are becoming more and more common.\u00a0 Recently JP Morgan, Home Depot, Goodwill, and Google have been in the news for security breaches.\u00a0 It is important for you to know what you should do in the event that a store where you have shopped has a security breach.\u00a0 If credit card information has been stolen from the store, monitor your credit card statement and your credit report.\u00a0 You can get one free credit report from each of the three main agencies every year by going to www.annualcreditreport.com.\u00a0 Keeping an eye on these reports can help you detect if your identity or one of your financial accounts is being used fraudulently.<\/p>\n<p>If you have an account with a website that has been breached, you need to change that password.\u00a0 If you have used that same password on any other site, change it there, too.\u00a0 Always make sure you understand what information you are giving to these companies and think about what it might mean if the site is hacked.\u00a0 This includes posting pictures and other personal information.\u00a0 We keep hearing about celebrity photos being stolen from online accounts &#8211; what do you have online?\u00a0 What if Facebook were hacked tomorrow?<\/p>\n<p>Password management is increasingly crucial.\u00a0<strong> Don\u2019t use your BU password anywhere else.\u00a0 Same for your email; don\u2019t use that password anywhere else.<\/strong>\u00a0 In fact, it is best to use a different password for every account; that way if one website becomes compromised, it won\u2019t impact others.\u00a0 The easiest way to do this is to use a password management tool, which allows you to remember one password and automatically keeps track of all your other passwords for you.\u00a0 Links to some of these password management tools are listed below.<\/p>\n<p>A list of recent data breaches: [ databreachtoday.com\/news ]<\/p>\n<p>How to pick a good password:\u00a0 [ bu.edu\/infosec\/howtos\/how-to-choose-a-password\/ ]<\/p>\n<p>Some respected password management tools:<\/p>\n<p>LastPass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ lastpass.com ]<br \/>\n1Password\u00a0\u00a0\u00a0 [ agilebits.com\/onepassword ]<\/p>\n<p>Tomorrow:\u00a0 <strong>Harden your accounts against hackers.<\/strong>\u00a0\u00a0 Make it so that there is more than just a password between the bad guys and your sensitive stuff.<\/p>\n<p>Best,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Harden your accounts against hackers<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><strong>BU Information Security Presents:<\/strong><\/p>\n<p><strong>Harden your accounts against hackers.\u00a0<\/strong>\u00a0 Two factor protection is now offered on many websites (Google, Facebook, more) and at BU.\u00a0 This makes it so that there is more than just a password between the bad guys and your sensitive stuff.<\/p>\n<p>The plethora of hacked web account stories over the last year prompts me to talk about how you can better protect your information on many sites you use every day.\u00a0\u00a0 It is something called two-factor (or multi-factor) authentication.\u00a0 Two-factor authentication adds another layer of confirmation in addition to your password.\u00a0 When you have this enabled, a message will be sent to your smart phone to confirm it is really you trying to log in.\u00a0\u00a0 If a hacker tries to access your account, he or she will not have your phone and so cannot get in.<\/p>\n<p>Many popular sites and services now offer two-factor protection:\u00a0 Google, Facebook, Twitter, Apple, Microsoft, and many others.<\/p>\n<p>Boston University also has two-factor protection for users of BUworks.\u00a0 We use Duo Security to provide strong protections for your salary and benefits information.\u00a0 BU staff have been on Duo for several weeks; <strong>Faculty and Student Employees are planned to be added to the system on October 14.<\/strong><\/p>\n<p>One nice thing about the Duo Security App is that it can be used for two-factor at BU and for all the other online services I talked about\u2014a one-stop solution instead of needing multiple apps.<\/p>\n<p>Two-Factor Authentication from:<br \/>\n\u2022\u00a0\u00a0\u00a0 Microsoft\u00a0\u00a0\u00a0\u00a0 [ windows.microsoft.com\/en-us\/windows\/two-step-verification-faq ]<br \/>\n\u2022\u00a0\u00a0\u00a0 Apple\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ support.apple.com\/kb\/ht5570 ]<br \/>\n\u2022\u00a0\u00a0\u00a0 Google\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ google.com\/landing\/2step\/ ]<br \/>\n\u2022\u00a0\u00a0\u00a0 BU\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ bu.edu\/tech\/duo\/ ]<\/p>\n<p>Tomorrow:\u00a0 <strong>Facebook Messenger App.<\/strong> Time to freak out?<\/p>\n<p>Best,<br \/>\nQuinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Facebook Messanger App<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><br \/>\n<strong>BU Information Security Presents:<\/strong><\/p>\n<p><strong>Facebook Messenger App.\u00a0<\/strong> No need to freak out.<\/p>\n<p>There was a lot of conversation a few weeks ago about the Facebook Messenger App.\u00a0 I was glad to see the conversation.\u00a0 We need to understand any possible risks an app might bring.\u00a0 What if the new game you download asks for access to your BU email?\u00a0 It may contain graded school work, and all sorts of personal information, plus your email can often be used to reset passwords to other websites.\u00a0 If that app is run by someone malicious, who knows what they might do.\u00a0\u00a0 Android phones generally do better at informing you about what permissions an app has requested than iPhones do, but they do so when an app is first installed.\u00a0 This is what led to the concern about Facebook Messenger.\u00a0 The permissions said that the app needed access to the phone\u2019s camera, when people were used to just IMing.<\/p>\n<p>Facebook came under fire when people thought that the Messenger app asked for too much access: to the camera, the microphone, and contacts list.\u00a0 What people are concerned about is that Messenger might do so at any time without further permissions or even you even knowing.\u00a0 The issue is that phone operating systems do not ask your permission when an app wants to do something the first time; if they ask at all, they usually do so only at install.\u00a0 A well-written app will often confirm with you permission to do something the first time it would like to do it and in fact this happens with Messenger: \u201cCan I use your location information?\u201d\u00a0 The Messenger app has legitimate need for access to your camera and microphone as it now includes a function like Skype or FaceTime and it needs your contact list so it can tell you who is calling or allow you to call easily.<\/p>\n<p>For more, visit:<br \/>\n[ facebook.com\/messengerfacts ]<br \/>\n[ nakedsecurity.sophos.com\/2014\/08\/29\/facebook-wants-you-to-know-that-messenger-is-not-spying-on-you\/ ]<\/p>\n<p>But this does highlight the importance of understanding what an app does and why it might need access to some kinds of information.\u00a0 Read the fine print in the terms and conditions before you accept them to understand what permissions you are giving the app.\u00a0 Read reviews of the device and only download apps from reputable sources (iTunes, Google Play, etc.)<\/p>\n<p>Tomorrow:\u00a0 <strong>Protecting your phone and computer in case it is stolen.<\/strong>\u00a0 A few simple steps to make sure thieves can only steal your device, not your pictures, your money or your identity.<\/p>\n<p>Best,<br \/>\nQuinn Shamblin, Executive Director of Information Security, Boston University<br \/>\n<\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Protecting your phone and computer in case it is stolen<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><strong>BU Information Security Presents: \u00a0<\/strong><\/p>\n<p><strong>Protecting your phone and computer in case it is stolen.\u00a0<\/strong> A few simple steps to make sure thieves can only steal your device, not your pictures, your money or your identity.<\/p>\n<p>Protecting your smartphones, tablets, and laptops is crucial.\u00a0 These devices hold a world of information about you \u2013 information that could lead to embarrassment, theft of money, or even identity fraud if it falls into the wrong hands.\u00a0 The number of stolen devices each year is continually on the rise, so here are a few simple things you can do to significantly reduce your risk if your device is stolen:<\/p>\n<p>1.\u00a0\u00a0 \u00a0Put a password, passcode, or screen swipe pattern on the device.\u00a0 While it may be a little more annoying to put in a code when you pull out your phone or boot up your computer, security is impossible without this step.<br \/>\n2.\u00a0\u00a0 \u00a0Encrypt your device and computer.\u00a0 (A password is not encryption, it is just a lock on the front door)\u00a0 If an encrypted device is stolen, the thieves have only taken the device itself &#8211; they cannot also steal your pictures, your banking information, or your identity. ]<\/p>\n<p>A few important points:<br \/>\n\u2022\u00a0\u00a0 \u00a0Be sure to back up your files before you encrypt.\u00a0 It usually goes through with no issue, but it is best to make sure your stuff is going to be OK if there is some rare issue.<br \/>\n\u2022\u00a0\u00a0 \u00a0It takes a little time to do the encryption the first time, but after that is done, you should see no appreciable performance difference.<br \/>\n\u2022\u00a0\u00a0 <strong>\u00a0If you encrypt, be sure you write down the unlock key, just in case!!!<\/strong><\/p>\n<p><strong>How to encrypt<\/strong><br \/>\nInformation on how to encrypt your particular device is readily available online.\u00a0 Review it in detail before you begin, but here is some information to get you started:<br \/>\n\u2022\u00a0\u00a0 \u00a0For <strong>iPhones<\/strong>, encryption is enabled automatically (and instantly) when you set up a passcode in Settings &gt; Passcode<br \/>\n\u2022\u00a0\u00a0 \u00a0<strong>Android<\/strong> phones navigate to: Settings &gt; Security<br \/>\n\u2022\u00a0\u00a0 \u00a0For<strong> PCs<\/strong> with Windows 8, windows 7 ultimate or enterprise go to:<br \/>\nStart &gt; Control Panel &gt; BitLocker Drive Encryption<br \/>\n[ technet.microsoft.com\/en-us\/library\/dd835565%28v=ws.10%29.aspx ]<br \/>\n\u2022\u00a0\u00a0 \u00a0For<strong> MACs<\/strong> with OS X choose, go to:<br \/>\nApple menu &gt; system Preference &gt; Security &amp; Privacy &gt; FileVault<br \/>\n[ support.apple.com\/kb\/HT4790 ]<\/p>\n<p>Thanks, and have a great year!<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<br \/>\n<\/div>\n<\/div>\n\n<h2><a name=\"2013 Blasts\"><\/a><xmlns:texthelpns rwthpgen=\"1\">2013 Blasts<\/xmlns:texthelpns><\/h2>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Spy Phones! Keeping your phone secure is more important than ever<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><strong>BU Information Security Presents: Spy Phones! Keeping your phone secure is more important than ever.<\/strong><\/p>\n<p>Black Hat and DEFCON are two of the largest security expert and hacker conferences in the world.\u00a0 This year many of the talks were about security vulnerabilities and newly discovered hacks for smartphones.<\/p>\n<p>One group did research on a set of 650,000 phones and found that an average of one phone in every 1000 is compromised.\u00a0 Almost half of the hacked phones were iPhones, even though Androids outnumber iPhones by 3 to 1.<\/p>\n<p>There were several other talks describing how to turn a compromised phone into a spy phone, turning on the camera and microphone without the permission of the owner, stealing pictures, email messages and texts and learning everything there is to know about the owner of that phone.\u00a0 Many celebrities have found themselves highly publicized victims of such hacks, but in this era of identity theft and financial fraud, the everyday person is just as susceptible.<\/p>\n<p>What you can do to help protect your phone from being compromised:<\/p>\n<p>&#8211; Set up your phone securely.<br \/>\n&#8212; This also helps protect you if you lose your phone\u00a0 [youtube.com\/watch?v=spaQGWasqHY]<br \/>\n&#8212; At a minimum, put on a password and set your phone to lock after a few minutes.<br \/>\n&#8212; For a good checklist, see: [ bu.edu\/infosec\/policies\/security-hardening-of-ios\/ ]<br \/>\n&#8211; Never jailbreak your phone.<br \/>\n&#8211; Always get your apps from the official app stores.\u00a0 (We have seen a few counterfeits BU mobile apps available from non-official sources.)<br \/>\n&#8211; Pay attention when an app update asks for a new permission.\u00a0 The original app may have been tested for malware by the app store, but updates come straight from the author, not from the app store; this is a common way of compromising a phone.<br \/>\n&#8211; Keep your phone updated.\u00a0 When Apple or Android releases an updated version of their operating systems, make sure you back up your phone and then install the new version.<\/p>\n<p>BU Information Security is working with a cross-disciplinary group to review the mobile device security policy and technical security requirements and capabilities for phones that may contain sensitive data entrusted to BU.\u00a0 That group includes CRC and BUMC staff, CRC and BUMC teaching faculty, research faculty, and BU personnel that also work at Boston Medical Center.\u00a0 More information will be coming later this year as a result of this review.<\/p>\n<p>Tomorrow:\u00a0 <strong>One click compromise.<\/strong>\u00a0 Phishing is not always about getting your password \u2013 sometimes all they want is for you to click the link\u2026<\/p>\n<p>Best,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">One click compromise<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><strong>BU Information Security Presents: One click compromise<\/strong><\/p>\n<p>Phishing is not always about getting your password \u2013 sometimes all they want is for you to click the link\u2026<\/p>\n<p>Most attempts to hack your computer, phone or tablet are related to one of two things:<\/p>\n<p>1. stealing your identity or financial information for the purpose of financial gain or<br \/>\n2. compromising your computer so that it can be used by the bad guys as an extension of the network of computers they control (which often leads back to reason #1)<\/p>\n<p>Take 30 seconds to view the amusing woes of Mike, who has been a victim of identity theft:<br \/>\n\u201cI\u2019m Mike\u201d &#8211; [ youtube.com\/watch?v=h_LSbm_RKHc ]<\/p>\n<p>Most malicious software is installed automatically without your permission when you visit a website or click a link that hosts malicious software.\u00a0 Those links are often sent to you by email or text messages.\u00a0 These \u201cphishing\u201d messages are crafted by the bad guys to make you click a link.\u00a0 They might promise a funny video or claim to be a receipt for products that you never bought or claim to be a security warning from your bank or credit card, etc.\u00a0 Never click a link in an e-mail or text message, unless you know the sender and you were expecting the message.\u00a0 (Just because it is from a friend, does not mean it\u2019s a good message.\u00a0 What if your friend\u2019s account was hacked?)<\/p>\n<p>While you should remain vigilant throughout the year for phishing messages, there is often an increase in these types of messages around the following events:<\/p>\n<p>&#8211; Holidays and other seasonal event including tax day and the start of a new semester.<br \/>\n&#8211; Playing off of a well-known or publicized event.<br \/>\n&#8211; In solicitations after a tragic event.<br \/>\n&#8211; Unsolicited requests for confirmation of account credentials.<\/p>\n<p>The URLs on this page were originally sent as regular text, not as a clickable links.\u00a0 Your e-mail client may have made them clickable anyway.\u00a0 It is best to get in the habit of looking at a URL to confirm if it is a place that you trust.\u00a0 Then, paste it into your browser instead of clicking on it.<\/p>\n<p>&#8211; While we\u2019re on the subject of identity theft, if you ever use public computers, be sure you log out before you leave them.\u00a0\u00a0 \u201cLog Out for Computer Safety\u201d &#8211; [ youtube.com\/watch?v=x_gcCURLOZc th ]<br \/>\n&#8212; If you use Facebook to sign into other sites, you are leaving more than just your FB account at risk when you forget to sign out.<br \/>\n&#8212; Also, I don\u2019t recommend that you do anything related to finances when you are on a public computer.<br \/>\n&#8211; Speaking of computers that are easy to compromise: if you are still using Windows XP, you will soon lose access to support.\u00a0 This means that Microsoft will not be providing any more updates or security patches for it after April 8, 2014.\u00a0 Security experts believe that the bad guys are stockpiling hacks in gleeful anticipation of that date.<\/p>\n<p>Tomorrow: <strong>Safe file sharing using BU Google Drive.<\/strong> The BU version of Google Drive has been approved for use for sharing many types of secure files, but it is important to set up security correctly!\u00a0 This message will show you how.<\/p>\n<p>Best,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Safe file sharing using BU Google Drive<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><strong>BU Information Security Presents:\u00a0 Safe file sharing using BU Google Drive<\/strong><\/p>\n<p>Many faculty members and students have been embracing cloud technologies in order to more easily share files.\u00a0 There are many sites and technologies out there to help meet this need, such as Google Drive, Box, DropBox, Microsoft SkyDrive, and others.\u00a0 These solutions are very neat and provide some very nice capabilities; however, some of them have various security issues as well.<\/p>\n<p>BU Information Security has worked with the University Registrar and we are happy to announce that the BU version of Google Drive has been approved for sharing many types of secure files.\u00a0 BU has a contractual relationship with Google that provides many security protections that we do not enjoy with other services.<\/p>\n<p>It is important to set up the security for BU Google Drive correctly.\u00a0 By default Google Drive, any file upload will only be viewable by you, the account owner.\u00a0\u00a0 Many people will create a particular folder so that anyone who knows the link has access to that folder.\u00a0 This setting makes sharing easier but this approach means there is really no security on those folders.<\/p>\n<p>The proper way to set up security is to configure the folder with the e-mail addresses of the people who should have access to it, and only them.\u00a0 This is not difficult to do.\u00a0 Instructions on how to sign up for BU Google Drive, how to install it and how to configure security properly may be found at:<\/p>\n<p>[ bu.edu\/infosec\/policies\/google-drive-security\/]<\/p>\n<p>If you already have a BU Google Drive and just want to learn about how to set up security properly, you can jump straight there with this link: [ bu.edu\/infosec\/policies\/google-drive-security\/#GD%20Security ]<\/p>\n<p>That\u2019s all from me for this year\u2019s Information Security Awareness Week.\u00a0 I hope you\u2019ve learned something interesting this week and can move forward a little more safely.<\/p>\n<p>Tomorrow: <strong>Bank and credit card theft at ATMs.<\/strong> Financial fraud through skimming credit cards and ATM information is on the rise.\u00a0 Learn a few things you can do to protect yourself.<\/p>\n<p>Best,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Bank and credit card theft at ATMs<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><strong>BU Information Security Presents: Bank and credit card theft at ATMs<\/strong><\/p>\n<p>Financial fraud through skimming bank and credit card at ATM or gas pump locations is on the rise.<\/p>\n<p>Card skimmers (very small devices designed to read a magnetic strip on a credit card and store the information for later retrieval) and small pinhole cameras can be built into a plastic cover, which can then be snapped onto an ATM or gas pump to steal card and PIN information.<\/p>\n<p>Australian authorities have caught criminals using 3D printers to create card skimmers that perfectly blend with the ATM [ nakedsecurity.sophos.com\/2013\/08\/16\/aussie-atm-criminals-embrace-3d-printers-for-cashpoint-crimes\/ ]<\/p>\n<p>They put together this video to talk about ATM skimming and how to protect yourself<\/p>\n<p>Fiscal the Fraud Fighting Ferret: Episode 3 &#8211; ATM Skimming<\/p>\n<p>[ youtube.com\/watch?v=gWY290MaeBg ]<\/p>\n<p>A few good tips:<\/p>\n<p>&#8211; Wiggle the card entry point to see if it moves at all or if it feels solid.<br \/>\n&#8211; Look for any small holes in the card entry point or the fascia above the screen that might be concealing a hidden camera.<br \/>\n&#8211; Make sure that the key pad is secure and doesn\u2019t wiggle before you enter your PIN (some criminals have been placing very thin false covers over key pads in order to record PINs)<br \/>\n&#8211; Cover the hand you use to type in your PIN with, using your other hand or a piece of paper to prevent someone from watching or recording what you type.<br \/>\n&#8211; Carefully check your bank and credit card statements<br \/>\n&#8212; If you see small unexplained charges like a dollar or two, this may be someone testing to see whether the account information they have for you is working.<br \/>\n&#8212; If you receive electronic statements, make sure they are the preprinted pdf type and not just a webpage.\u00a0 There are some kinds of malware that will intercept a webpage and change what is printed on your screen to try to hide what has been stolen.<\/p>\n<p>Thanks, and have a great year!<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<ul><\/ul>\n<h2><strong><a name=\"2012 Blasts\"><\/a><xmlns:texthelpns rwthpgen=\"1\">2012 Blasts<\/xmlns:texthelpns><\/strong><\/h2>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Passwords<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p>BU Information Security Presents: <strong>Passwords<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p>I understand that many of you might think of passwords as being an old and tired discussion.\u00a0 But passwords are still the most commonly used way we prove who we are, so we can access our stuff and keep other people out of it.\u00a0 There have been some major hacks over the past few months; the implications of those hacks might change how you use passwords.\u00a0 So, here are a few important things you need to know about them:<\/p>\n<p>&#8211; <strong>You need a password (or other authentication mechanism) and a strong one.<\/strong><\/p>\n<p>We have all heard this, but many people still don\u2019t have any authentication on their computer or phone.\u00a0 For some advice on how to pick a password that is easy to remember, go to:\u00a0 bu.edu\/infosec\/howtos\/how-to-choose-a-password\/<\/p>\n<p>&#8211; <strong>You need different passwords for different sites (or different types of sites).<\/strong><\/p>\n<p>This is becoming just as important as having strong passwords.\u00a0 In just the past few months, Yahoo, eHarmony, LinkedIn, last-FM, and a number of other gaming and web sites have all had large security breaches; hackers stole the passwords for many people on those sites.\u00a0 This is a big deal because most people use the same password for a lot of different sites.\u00a0 So, if one site is compromised and the hackers get your password, that password could let them in to other sites you use as well.\u00a0 They will test that password on Facebook, Google, amazon, eBay, yahoo, all the big email providers, the web sites for every major bank and all the biggest credit cards, trying to find information or access that can be turned into cash.\u00a0 For a first person account of this, read Mat Honan\u2019s story which begins, \u201cIn the space of one hour, my entire digital life was destroyed.\u201d (wired.com\/gadgetlab\/2012\/08\/apple-amazon-mat-honan-hacking\/all\/)<\/p>\n<p>Think about using a password manager or a password segregation scheme.\u00a0 For more on this, see bu.edu\/today\/2012\/linkedin-hacking-what-you-need-to-know\/<\/p>\n<p>&#8211; <strong>You need to change any password that came on your device by default.<\/strong><\/p>\n<p>A lot of devices have Default passwords built in that you might not think about.\u00a0 For example, if you have not changed the password on your wireless internet router at home, anyone can go in and mess with your router, see computers on your network, steal your bandwidth and more.\u00a0 You need to change these to a strong password that only you know.<\/p>\n<p>If you haven\u2019t reviewed last year\u2019s messages, you should go check them out; refresh your memory on a few things.\u00a0 Read them at:\u00a0 bu.edu\/infosec\/isaw\/blasts\/<\/p>\n<p>Best regards,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<br \/>\nbu.edu\/infosec\/<br \/>\n<\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Keeping your stuff up to date<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p>BU Information Security Presents: <strong>Keeping your stuff up to date<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p>When a little window pops up on your computer telling you there is an update available for some piece of software or other, most people just sigh with exasperation and close the window.\u00a0 \u201cDon\u2019t BOTHER me right now, I\u2019ll do it later\u201d is a pretty common reaction.\u00a0 But those updates are there to keep you safe.<\/p>\n<p>Most of the time, those updates are being pushed out because someone has discovered a security hole with that software.\u00a0 The update is what we call a \u201cpatch\u201d for that hole.\u00a0 Unpatched, these holes can allow a hacker to control or bypass the operating system of your computer.\u00a0 That is one of the major goals of hackers: to control the system that holds your information.<\/p>\n<p><strong>Keeping software up to date is important for all software.<\/strong> Anything can have an vulnerability, <strong>but it is crucial for Java, Flash, Acrobat (PDFs) and your operating system<\/strong> (Windows, Mac, or Linux, it doesn\u2019t matter, they all have security flaws).\u00a0 Java, Flash and PDFs are very common and run across multiple platforms.\u00a0 This means that if a hacker can find a security whole in one of them, it doesn\u2019t matter if the computer is Windows or Mac.\u00a0 For context, there are more exploits designed to attack holes in PDFs than there are for all version of Windows combined.<\/p>\n<p>There is tremendous incentive to find security holes.\u00a0 Criminal organizations routinely pay upwards of $100,000 for a single new exploit.\u00a0\u00a0 Almost every time you see a reminder to update, someone has found another one.\u00a0 So, I know it can be a little annoying, but make sure to keep your stuff up to date!<\/p>\n<p>Best regards,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<br \/>\nbu.edu\/infosec\/<br \/>\n<\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">My files are stored on a free cloud service, are they safe?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p>BU Information Security Presents: <strong>My files are stored on a free cloud service, are they safe?<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p>Actually, files stored in the cloud are usually pretty safe.\u00a0 In some ways those files are safer than those you have that are stored only on your laptop or mobile phone.\u00a0 If your computer or phone is lost, stolen or damaged and it was the only place where your important files were kept, those files are gone.\u00a0 If they were also stored in the cloud, you have a backup.\u00a0 In fact, most cloud storage providers have strong redundancy and backup systems and losses of files stored with them are rare.\u00a0 They are also a nice way to keep the files in one place and be able to access them from many devices and locations.<\/p>\n<p>However, there are a few other considerations, especially if you store files that are sensitive in any way.<\/p>\n<p>&#8211; <strong>Not all cloud services are equal.<\/strong> Some do a much better job with security, redundancy and internal control.\u00a0 Review the terms of service carefully to understand what they are offering.\u00a0 One thing to understand: however unlikely it may be, if the files you store on such a service are lost, you will likely have no recourse at all.\u00a0 Those files will be gone and there will be nothing you can do about it.<br \/>\n<strong>Recommendation:<\/strong> Never have your files in only one place; always keep a backup somewhere else as well.<\/p>\n<p>&#8211; <strong>Password reuse is a big problem.<\/strong> One of my earlier emails pointed out the dangers of using the same password for multiple sites.\u00a0 That is just as important here.\u00a0 If your password were compromised on some other site and hackers tried it out on your cloud provider, what files would they have access to?<br \/>\n<strong>Recommendation:<\/strong> Use a password manager or some other approach so that any site with important information about you gets its own password.\u00a0 For more on this and some recommendations, read:\u00a0 bu.edu\/today\/2012\/linkedin-hacking-what-you-need-to-know\/<\/p>\n<p>&#8211;<strong> Others may be able to access your files.<\/strong> Even if you are careful to use a unique password for all your accounts, some other person might still be able to access your files in a variety of ways:<br \/>\n&#8212; A security hole could be discovered and your files accessed before the company can install a fix,<br \/>\n&#8212; An employee of the company could take it into his or her head to just start poking around, despite the company policy forbidding it,<br \/>\n&#8212; The company could be subject to a court order and be compelled to provide access, etc.<br \/>\n&#8212; The company might simply decide to delete your files.\u00a0\u00a0 It has happened:\u00a0 In July of 2009, Amazon deleted George Orwell\u2019s 1984 from every Kindle (define irony).\u00a0 Story: nytimes.com\/2009\/07\/18\/technology\/companies\/18amazon.html<\/p>\n<p>For most of your files, it probably doesn\u2019t matter very much if someone else sees them, but what about your financial records, medical history or personal photos?<\/p>\n<p><strong>Recommendation 1:<\/strong> Be selective about what you choose to store in the cloud.\u00a0 You need to assume that anything you upload can be accessed by someone else: you don\u2019t have an expectation of privacy and certainly don\u2019t have any legal protection if your files are accessed.\u00a0 That said, you can do something about this by using\u2026<\/p>\n<p><strong>Recommendation 2:<\/strong> Encryption.\u00a0 If you choose to store sensitive files in the cloud, consider encrypting those files so that only you can open them.\u00a0 If you encrypt a file with a program like Truecrypt (truecrypt.org), the contents will be inaccessible to anyone who might get access to the files inappropriately.<\/p>\n<p>Some of the services that IS&amp;T provides are through the cloud.\u00a0 Where a cloud service has been provided by IS&amp;T, we work to mitigate these risks.\u00a0 In some cases, we are able to negotiate stronger protections and levels of service than you can get as an individual consumer.\u00a0 We will always make it clear in the service description what the requirements, terms and limitations are for our services.\u00a0 Sensitive University data should not be put on any consumer cloud service (sensitive data is anything protected by law like student grades and any financial or medical information).<\/p>\n<p>Best regards,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<br \/>\nbu.edu\/infosec\/<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Facebook and Google know everything about me, should I care?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p>BU Information Security Presents: <strong>Facebook and Google know everything about me, should I care?<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p>Humans are social creatures and we now have services at our fingertips that allow us to be more connected than ever before in history.\u00a0 Facebook, Google, YouTube, Twitter, FourSquare, GetGlue, Spotify, and many other popular services collect information about us, our interests, activities, preferences, location, viewing\/listening habits, and almost anything else and allow us to share that information with others.<\/p>\n<p>There are lots of very cool free services out there that leverage all this information.\u00a0 But as the saying goes, if you cannot see what product is being sold, you are the product.\u00a0 Sites like this are usually funded through advertising.\u00a0 For example, Google uses keyword information from Gmail, your search history and YouTube viewing history to create a profile of your interests.\u00a0 This benefits you by making search results better and making you aware of goods and services that are likely to be of interest to you based on that profile; you will have to wade through less to find something you want.\u00a0 It benefits the advertisers by showing their ads only to people likely to be interested, thereby improving the value per advertising dollar spent.<\/p>\n<p>But there is another side that you need to be aware of.\u00a0 Information from these services can be used in ways that may not have been originally considered or intended, especially when multiple sources are combined.\u00a0 A number of very revealing stories have come out over the past few years.\u00a0 If you haven\u2019t heard of these, they are worth a few minutes to read.<\/p>\n<p>&#8211; &#8220;Is a badge on Foursquare worth your life?&#8221;\u00a0 Due to Geotagging, if a Soldier uploads a photo taken on his or her smartphone to Facebook, they could broadcast the exact location of his or her unit.<br \/>\nStory:\u00a0 army.mil\/article\/75165\/Geotagging_poses_security_risks\/<br \/>\n&#8211; FaceDeals:\u00a0 This is a new service that uses the facial recognition capability of Facebook to scan your face when you walk into a store and send store discounts straight to your phone.\u00a0 Cool, but also a bit scary.\u00a0 This means that Facebook can track your physical location through a camera and sell that information to anyone they wish.<br \/>\nStory:\u00a0 nakedsecurity.sophos.com\/2012\/08\/14\/new-facebook-app-facedeals-scans-your-face-to-offer-you-deals\/<br \/>\n&#8211; Please Rob Me:\u00a0 Pleaserobme.com looked at tweets from people who are also using location-based services telling the world that they&#8217;re out of town, and told the world where to go to rob their house.\u00a0 The site was designed to raise awareness of the risks of posting information that you might not think of as sensitive, like your home address (on Facebook) and your current location (on Twitter or Foursquare).\u00a0 The operators of the site shut it down after making their point.<\/p>\n<p>Don\u2019t take this as a condemnation of all those cool sites and services out there.\u00a0 Take advantage of them.\u00a0 Just be aware of what information they are collecting and make smart choices about what you share and how.<\/p>\n<p>Surf safe!<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<br \/>\nbu.edu\/infosec\/<br \/>\n<\/div>\n<\/div>\n\n<h2><strong><a name=\"2011 Blasts\"><\/a><xmlns:texthelpns rwthpgen=\"1\">2011 Blasts<\/xmlns:texthelpns><\/strong><\/h2>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Phishing<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">BU Information Security Presents:<\/xmlns:texthelpns> <strong>Phishing<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">Most people think they know about spam and phishing, yet every day someone at Boston University falls for a common email scam and has their account compromised.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Here are a few simple tips to avoid being hooked by a phisher:<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">1.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> If the email asks for your password, it is a scam.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Delete it.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">2.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> If the email is about a financial account you don\u2019t have or an order that you don\u2019t know anything about, it is almost certainly a scam.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">3.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> If you feel you must check out something sent to you in email DON\u2019T CLICK THE LINK.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 It is completely possible to make a link lie to you.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0\u00a0 Instead, use your browser to go to the known and trusted website by typing in the URL\/Web Address yourself.For example, take this link:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 http;\/\/www.google.com\/If you click this, it will not take you to Google, it will take you somewhere completely different.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Scammers use this trick all the time to trick you to going to malicious websites.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">4.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> You can tell where a link is going to take you by hovering over it with your mouse.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Don\u2019t click.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Hover.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 If you do this for the link above you will see yahoo pop up in a box by your pointer or in a space at the bottom of your email client or browser.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 General rule:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> if the email message is lying to you about where it wants to send you, it is a scam.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">5.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Forward scam emails to abuse@bu.edu and then delete them.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> If in doubt, call the IT Help Desk (Charles River Campus (617) 353-4357, Medical Campus (617) 638-5914).<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">For more information visit:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 http:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\/\/www.bu.edu\/infosec\/howtos\/fight-phishing\/<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">(The above link was sent in clear text and is pointing to a domain you trust, bu.edu.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 But if your email client made the link clickable, you should still get into the habit of not clicking it, but copying and pasting the link into your browser.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">)<\/xmlns:texthelpns><\/p>\n<p>Warm regards and safe emailing,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Mobile phone security and what to do if you lose your phone <\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">BU Information Security Presents:<\/xmlns:texthelpns> <strong>Mobile phone security and what to do if you lose your phone<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">Modern smart phones are computers, in every way that counts.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 And you typically have them set up to automatically access your email and other apps that may contain sensitive information about you, your family, friends or business contacts.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 All that power\u2014all that access\u2014sits in the palm of your hand in a device that is very easy to lose.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 There are a few simple things you can do to help protect it:<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">1.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Put a password\/code\/pattern on it and set it to automatically lock after 5 minutes.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 It might be a little annoying at first, but it\u2019s important and you\u2019ll get used to it quickly.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 For a bit of a laugh:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 youtube.com\/watch?v=spaQGWasqHY<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">2.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Get an anti-virus program installed.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Yes, anti-virus for your smart phone.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Remember these are computers, and they are almost completely unprotected.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 The hackers know this and are putting a lot of attention on it.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Here is a good free AV product:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 mylookout.com<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">3.<\/xmlns:texthelpns> <strong>If you lose your phone, don\u2019t have it disconnected until you call the IS&amp;T Help Center.<\/strong><xmlns:texthelpns rwthpgen=\"1\">\u00a0 If your phone is set up to pull your email from BU Exchange, you can request that we wipe the phone in the event that the phone is lost.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 This way no one can get to any private information on that phone.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 But we can\u2019t do this if you have the service disconnected before talking to us.<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">For more information visit:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 bu.edu\/infosec\/howtos\/smartphone-security-measures\/<\/xmlns:texthelpns><\/p>\n<p>and bu.edu\/infosec\/policies\/security-hardening-of-ios\/<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">(The above links were sent in clear text and are pointing to a domain you trust, bu.edu.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 But if your email client made them clickable, you should still get into the habit of copying and pasting them into your browser instead of clicking.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">)<\/xmlns:texthelpns><\/p>\n<p>Warm regards and safe phoning,<\/p>\n<p>Quinn Shamblin, Executive Director of Information Security, Boston University<\/p>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">A couple easy tips to protect your computer<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\">\n<p><xmlns:texthelpns rwthpgen=\"1\">BU Information Security Presents:<\/xmlns:texthelpns> <strong>A couple easy tips to protect your computer<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">You may have heard these tips before, but they work!<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Every day the IT Help Center at BU fixes problems that might have been avoided if the person had followed these simple steps:<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">&#8211; Make sure your computer and the software on your computer gets updates automatically.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Yeah, it\u2019s a little annoying, but almost all those updates are to fix security vulnerabilities that someone found and that are actively being exploited.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">&#8211; Get anti-malware software.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Even if you have a Mac, GET ANTI-MALWARE.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 Every year for the past 5 years, Mac\u2019s were the first computers to get hacked into during a popular international hacker competition.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 One year it only took 13 seconds.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">&#8211; Never give out your password to anyone.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">&#8211; Regularly back up your important files.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 If the worst happens and you have to completely reinstall your computer, at least you will still have all your files.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">&#8211; Don\u2019t use an administrative account as your normal account.<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">For details of what this means and how to fix it, see:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 bu.edu\/infosec\/howtos\/how-to-create-an-admin-account\/<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">For more information visit:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 bu.edu\/infosec\/howtos\/how-to-lock-your-computer\/<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">(The above link was sent in clear text and is pointing to a domain you trust, bu.edu.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 But if your email client made the link clickable, you should still get into the habit of copying and pasting the link into your browser.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">)<\/xmlns:texthelpns><\/p>\n<p>Warm regards and safe computing,<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">Quinn Shamblin, Executive Director of Information Security, Boston University<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\"><\/div>\n<\/div>\n<\/xmlns:texthelpns><\/p>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Securing your iPad<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\">\n<p><xmlns:texthelpns rwthpgen=\"1\">BU Information Security Presents:<\/xmlns:texthelpns> <strong>Securing your iPad<\/strong><\/p>\n<p>&#8211;A few important words brought to you as part of Information Security Awareness Week<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">iPads and iPhones are so popular that we felt they needed their own message.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 The security on these products is really quite good, but only IF you make sure the password is set and the device is set to lock after a few minutes of not being used.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 If you don\u2019t set the password, nothing is encrypted and the protections are significantly lower.<\/xmlns:texthelpns><\/p>\n<p>To properly secure and iPhone or iPad, you should:<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">1.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Require a passcode to access the device<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">2.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Set auto-lock timeout to lock your device after a short period of non-use, 5 minutes or so<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">3.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Disable grace period for lock or set it to a low value like 2 minutes<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">4.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Set the system to erase your data if someone tries to break in by entering the wrong passcode 10 time in a row<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\">5.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\"> Consider activating \u201cFindMyPhone\u201d on your device.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 This allows you to see where your phone is if you lose it and can even allow you to remotely wipe the data from it if you need to do so.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 For details, see:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 apple.com\/iphone\/built-in-apps\/find-my-iphone.html<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">For details on how to do these things, visit:<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 bu.edu\/infosec\/policies\/security-hardening-of-ios\/<\/xmlns:texthelpns><\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">(The above link was sent in clear text and is pointing to a domain you trust, bu.edu.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">\u00a0 But if your email client made the link clickable, you should still get into the habit of copying and pasting the link into your browser.<\/xmlns:texthelpns><xmlns:texthelpns rwthpgen=\"1\">)<\/xmlns:texthelpns><\/p>\n<p>Warm regards and safe computing,<\/p>\n<p><xmlns:texthelpns rwthpgen=\"1\">Quinn Shamblin, Executive Director of Information Security, Boston University<\/xmlns:texthelpns><br \/>\n<xmlns:texthelpns rwthpgen=\"1\"><\/div>\n<\/div>\n<\/xmlns:texthelpns><\/p>\n<p><!--more--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Every October, Boston University hosts an Information Security Awareness Week. \u00a0October is National Cyber-Security Awareness Month and institutions around the nation are all put out programs and sharing information about how to keep our computers, web accounts and information more secure. One of the things we do during the our awareness week is to send&#8230;<\/p>\n","protected":false},"author":4697,"featured_media":0,"parent":99649,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/99996"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/4697"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=99996"}],"version-history":[{"count":5,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/99996\/revisions"}],"predecessor-version":[{"id":100002,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/99996\/revisions\/100002"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/99649"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=99996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}