Background on OpenSSL and Heartbleed
Late on Monday, April 7, researchers discovered a flaw in the security tool, OpenSSL, which provides the encryption that protects Internet traffic and communications between one device and another. Most users would know this as the small, closed padlock and "https:" on web browsers to signify that your Internet traffic is secure. The flaw, nicknamed "Heartbleed", allows an attacker to capture usernames, passwords, and pretty much any other information.
Why this matters
OpenSSL is used everywhere: when you shop at Amazon, access your personal email, use your personal banking, or visit your social network, blogging and sharing sites. It can also be used to secure communications on personal mobile devices, such as smart phones and tablets, through the securing of web browsers, or installations of web apps you may have installed. The "Heartbleed" vulnerability in OpenSSL could allow a remote attacker to access sensitive data that is passed through it, such as login information like usernames and passwords.
What Brown is doing
Brown technical staff has been engaged and responding to this issue as soon as the bug became public. The Information Security and Network Technology groups in CIS, in conjunction with the technical staff members across campus, have assessed the areas at Brown that are impacted by this vulnerability. Most fixes are already in place, while others are in progress.
What you should do
Most of the work that needs to be done is by technical staff who must patch the affected servers and systems, whether for Amazon, Yahoo, your bank, social network, etc., or here at Brown for those few servers and systems that must be updated.
There are, however, there are a few tips and actions you may want to consider for your personal computing. The following have been gathered from multiple open sources, and are based upon guidance and advice from experts across many areas:
- At this time, Brown University is not asking users to change their Brown network passwords.
- Regarding your other passwords, we recommend that you update them but only after it has been confirmed that the websites have taken the proper measures and are secure. Many sites and services are already sending emails to their customers that they have taken the proper actions.
- If the sites and services that you use include alternate ways of confirming your identity, such as a cell phone number for confirmation text messages, consider using them. This will mitigate an attacker if your password has been compromised.
- You should exercise caution when visiting websites, as "Heartbleed" can affect web browsers. Expect all major browsers to address this issue very soon with an update, if they have not already.
- You can test sites using the Heartbleed Test Site (https://lastpass.com/heartbleed).
- In the short term, when finished with a website, completely log out if you were logged in (such as with Facebook, Yahoo, etc), and when finished surfing the web, close your browser.
- We anticipate a new wave of phishing messages using this vulnerability as an excuse to steal login credentials and compromise accounts. Beware of spam messages about "Heartbleed."
- Monitor financial statements closely. Check bank and credit card statements for unusual activity.
- Unless you have heard from your bank directly that they are not vulnerable, we recommend refraining from doing any online banking for a few days.
- Heartbleed Bug: Recap + Q&A Brown Bag | Sign-up for Brown Bag at brown.edu/go/heartbleed-brown-bag
- Background Information: The Heartbleed Bug
- Heartbleed Bug Health Report
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- NPR Marketplace story: The Heartache of Heartbleed
- Brian Krebs: What Can You Do?
- How to talk to your kids (or manager) about "Heartbleed"
ISG has added the new section How Do I ...? to their web pages. From the main "Information Security" link, click on the "How Do I ...?" link for a collection of commonly asked questions with quick answers, plus links to more details.
Privacy is important year-round, but January 28 - February 28 is a time specifically set aside to highlight the issue of privacy. ISG recommends three ways to get involved:
- 1/30 1-2 PM: Web event "Location, Location, Location" with privacy expert Robert Ellis Smith. brown.edu/go/privacy
- 2/11 6:30-8 PM: Free screening of award-winning documentary "Terms and Conditions May Apply", "mandatory viewing for everyone who uses the Internet." Q&A session follows. Light refreshments + door prizes. brown.edu/go/tacma
- 2/24 Noon: "Your Life Online" Brown Bag. brown.edu/go/YourLifeOnline
Brown is participating in National Data Privacy Month from January 28th-February 28th, 2014. While not as an intensive campaign as we do each October for Cyber Security Month, there are still opportunities to hear from experts, learn how to protect your individual privacy online, and view an intriguing documentary. More on that later.
Privacy is a large concern to many people, and with so much of our lives and actions online, protecting one’s privacy is becoming increasingly more difficult. I'm sure that you are all aware of the breach of credit cards and personal information from Target, and maybe even have been directly impacted by it. With more and more information being made available by the company, it is now considered the largest breach in the history of personal data. While we laugh that it is no surprise given the name "target", it is no laughing matter. Many of the victims have had their finances, credit and personal lives negatively impacted. Sadly, attacks such as this will continue, as the value of the data continues to increase.
Maintaining your privacy takes effort, and the ISG is here to help. With webpages offering advice, a national webcast on January 30th by Robert Ellis Smith (the nation’s leading privacy advocate), and an ISG brown bag lunch February 24 on "Your Life Online", you have opportunities over the next few weeks to gain insight and knowledge on not only protecting your privacy, but what to do if your information is leaked.
We will also be providing a screening of an intriguing documentary called Terms and Conditions May Apply. Including a Q&A session afterwards with leading members of the Brown community in this area, it will be both an eye-opening and valuable night. I hope that you can attend. Details at brown.edu/go/TACMA.
As always, I welcome your comments and feedback. Please feel free to reach out to me directly at firstname.lastname@example.org, or the group at ISG@brown.edu. Let me know how we are doing, areas of concern you may have, or questions on protecting your identity, privacy or personal computing security. And remember, sec_rity is not complete without U!
Think you may have been part of a security breach affecting Target or other retailers? ISG recommends that, whether or not you might have been a victim, there are a few things you can do to protect your identity as well as financial reputation.
Keep an eye on your bank account statements
Most banking institutions allow you to set alerts for unusual activity, so that information is pushed to you rather than your needing to remember to log into your account everyday. Jay Gatten of The Human Defense suggests having a text sent to you for any transaction (including cash withdrawals) over $100 (or whatever amount you are most comfortable with).
Debit or Credit?
Gatten as well as others also recommend not using your debit card as a debit card, since its PIN could be captured when slid or inserted in a rogue POS (point of sale) device. Instead, use credit cards whenever possible, which allow you to use the bank's money until you pay it back. This is the reason they will take immediate action if there is a chance of credit card fraud. (Watch this recent news story for more on debit versus credit.) Another alternative: use cash whenever possible, such as at gas stations.
Order free credit reports
An amendment to the federal Fair Credit Reporting Act requires each of the three major nationwide consumer reporting companies (Equifax, Experian and Trans Union) to provide you with a free copy of your credit report, at your request, once every 12 months. This means you can track request a report every four months. You can order reports at www.AnnualCreditReport.com.
FTC & Identity Theft
Beware phishing attempts
Some of the expected fallout from the recent breaches is phishy emails, text or even phone calls to those whose personal information was stolen. Because of this, be extra vigilant for anything that doesn't quite seem right. Learn how to spot a phish at www.brown.edu/go/phishing. Unfortunately, the "Important message from Target to our guests" email that was sent mid-January looks a bit phishy. What do you think they could have done better? On the plus side, the letters did contain helpful recommendations, much like what was contained here. But it also included an offer for a free credit report that some have found confusing or are unable to act upon since they don't have email and access to the Internet.
Home networks were relatively simple several years ago, perhaps nothing more than a wireless access point and a computer or two used to surf the Internet or play games online. However, home networks have become increasingly complex. Not only are we connecting more devices to our home networks, but we are doing more things with them. In this edition we will cover some basic steps to creating a more secure home network.
Your Wireless Network
Almost every home network starts with a wireless network (sometimes called a Wi-Fi network). This is what enables you to wirelessly connect any of your devices to the Internet, from laptops and tablets to gaming consoles and televisions. For this to happen, your wireless network needs something called a wireless access point. This is a physical device that connects to your Internet router (or may be built into your Internet router) and sends out a wireless signal that your devices connect to. Once your devices connect to the access point, they can then connect to other devices on your home network and the Internet. As a result, your wireless access point is one of the key parts of your home network. As such, we recommend the following steps to securing it:
- For most wireless access points, the default administrator login and password is well-known and often even posted on the Internet. As such, be sure to change the default administrator login and password to something that only you know. Make sure that it is a unique password and is not used for any of your other accounts.
- Another option you will need to configure is the name of your wireless network (sometimes called your SSID). This is the name your devices will see when they search for local wireless networks. Give your network name something unique so you can easily identify it, but make sure it does not contain any personal information. Also, there is little value in configuring your network as hidden (or non-broadcast). Most wireless scanning tools or any skilled attacker can easily discover the details of a hidden network.
- The next step is ensuring that only people you know and trust can connect to and use your wireless network, and that those connections are encrypted. You want to be sure that neighbors or strangers cannot connect to or monitor your network. You can easily mitigate these risks by enabling strong security on your wireless access point. Currently, the best option is to use the security mechanism WPA2. By simply enabling this, you require a password for people to connect to your home network and, once authenticated, those connections are encrypted. Be sure you do not use older, outdated security methods such as WEP, or no security at all (which is called an open network). An open network allows anyone to connect to your wireless network without any authentication.
- Make sure the password people will use to connect to your wireless network is a strong, hard-to-guess password and that it is different from the administrator password. Remember, you most likely have to enter the password only once for each of your devices, as they will each store and remember the password.
- Many wireless access points support what is called a Guest Network. A Guest Network allows visitors to connect to your wireless access point and access the Internet, but they cannot connect to any of the devices on your home network. If you add a Guest Network, be sure to enable WPA2 and a different password for this network.
- If you can’t remember the different passwords then use a password manager to securely store them.
Once you have your wireless network configured, we recommend you configure your home network to use OpenDNS as your DNS servers (or a similar service, such as Norton ConnectSafe for Home). When you type a name into your browser, DNS is how your browser knows which server on the Internet to connect to. Services such as OpenDNS identify known, infected websites and stop any device connected to your home wireless network from accidentally visiting these infected websites. In addition, these services often give you the ability to filter and block objectionable websites. What makes this approach so effective is there is no software to install on your devices, you just make a change to your wireless access point.
The next step involves knowing what is connected to your home network and making sure those devices are secure. This used to be simple, as you only had a few devices connected in the past. Nowadays, however, almost anything can connect to your home network, including TVs, gaming consoles, baby monitors, speakers, your house thermometer and even your car. Once you identify all the devices on your home network, you may be surprised by just how many you have. The best way to keep all of these devices secure is to ensure they are always running the latest version of their operating system. Be sure you have auto-update enabled when possible. If this is not an option, then review and update your devices monthly, if possible. In addition, be sure to visit your Internet service provider's website, as they may provide free tools and services to help you secure your home network.
- OpenDNS: http://www.opendns.org
- Norton ConnectSafe: http://dns.norton.com/dnsweb/dnsForHome.do
- Network Security Scanner: http://www.sophos.com/en-us/products/free-tools/network-security-scan.aspx
- Password Managers: http://www.securingthehuman.org/resources/newsletters/ouch/2013#october2013
Note: This article was prepared by Kevin Johnson, who is the CEO at Secure Ideas, runs MySecurityScanner.com and is a senior instructor with the SANS Institute. You can find more information at www.secureideas.com. It was prepared for the January 2014 issue of OUCH!, Securing Your New Tablet. OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license. You are free to share or distribute this article as long as you do not sell or modify it. For past editions or translated versions, visit www.securingthehuman.org/ouch. Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis
Keep up with alerts and tips from the Information Security Group by following us on Twitter at https://twitter.com/ISGatBrown and https://twitter.com/CISOatBrownU. Here's a sample of a recent tweet so you can see what you're missing:
ISG @ Brown @ISGatBrown: Do you know your #privacy IQ? 10 quick Q's to find out, brought to you by StaySafeOnline & ZeroKnowledgePrivacy.org: http://myprivacyiq.com/
The latest issue of Secure IT! has been released. We invite you to peruse this issue, view back issues (to 2010) and send us ideas for future ones. Enjoy!
- CISO Memo: It's All About Privacy :: With so much of our lives and actions online, protecting one's privacy is becoming increasingly more difficult. ISG is here to help.
- Identity Finder Reminder :: Not running Identity Finder regularly? Find out why you should.
- Targeted in a Recent Security Breach? :: Were you affected by the latest retail security breaches? Read ISG's recommendations on what you can do.
- Secure Your Home Network :: In his recent article "The Internet of Things is Wildly Insecure", security expert Bruce Schneier said, "If we don't solve this soon, we're in for a security disaster as hackers figure out that it's easier to hack routers than computers." Find out if your home router at risk and what you can do to mitigate it.
- Securing Your New Tablet :: If Santa surprised you with a new tablet, learn how to keep it safe.
- Follow us on Twitter :: ISG and CISO alerts, tips and more.
Excited about your new tablet? Top tips to keep it safe and secure are: use some type of screen or passcode lock, run the latest version of the operating system and be mindful of your privacy and Cloud options.
Get the details from Chad Tilbury, who prepared this article that appeared in the December 2013 issue of OUCH! newsletter. More details about this author and the newsletter appear at the end of this article.
Your New Tablet
Congratulations on your new tablet. This technology is a powerful and convenient way to communicate with others, shop online, read, listen to music, game and perform a myriad of other activities. Since this new tool may become an important part of your daily life, we strongly encourage you to take some simple steps to help keep it safe and secure.
Securing Your Tablet
The first step is to set a passcode or some other screen locking mechanism. Tablets are easy to take wherever you go, which also means they are easy to lose or have stolen. To help prevent your information from falling into the wrong hands, be sure you lock your tablet screen with some type of hard-to-guess PIN, passcode or swiping motions. In newer devices, there may be some type of biometric authentication, such as a fingerprint reader. Use the strongest method your tablet supports, and be sure to set your tablet so that it locks automatically after a short idle time.
Next, update your tablet so it has the latest version of its operating system. Bad guys are constantly finding new weaknesses in software, and vendors are constantly releasing new updates and patches to fix them. By running the latest operating system, you make it harder for anyone to hack into your tablet.
Pay attention when configuring your tablet for the first time. The most important configuration choices will be your privacy and Cloud options. Privacy is about protecting your personal information. One of your tablet’s biggest privacy issues is its ability to know and track your location. We recommend that you go into the privacy features and disable location tracking for everything, then enable it on an app-by-app basis. For some apps, it is important to be able to track your location (such as mapping software or finding a local restaurant near you), but the majority of apps do not need real-time location information.
The other important option is Cloud storage. Cloud services such as Apple’s iCloud, Microsoft’s Skydrive, Dropbox or Google Drive allow you to store your data on servers through the Internet. Most tablets have built-in options for automatically storing just about anything in the Cloud, including documents, pictures and videos. Think about the sensitivity of your data and decide whether it is appropriate to store it in the Cloud. Make sure you understand how your data will be protected (such as by a password) and how you can control who will have access to it. The last thing you want is for the private pictures you just took to be posted on the Internet without your knowledge, complete with their geo-location information embedded.
Be aware that tablets are increasingly synchronizing your apps with other devices, like your smartphone or laptop. This is common with many applications (including Google’s Chrome), is pervasive in Windows 8 and is one of the most widely used features of iCloud. Device synchronization can be a wonderful feature, but if you have it enabled, don’t be surprised to see the sites you visited or the tabs you created on your tablet’s browser appear in your browser at work.
Keeping Your Tablet Secure
Once you have your tablet secured, you want to be sure it stays that way. Here are some simple steps for you to consider as you continue to use your tablet:
- Keep your tablet operating system and apps current and running their latest version. Many tablets now automatically update your apps, a feature we encourage you to enable.
- Do not jailbreak or hack into your own tablet. This will bypass and render a tremendous number of security controls useless, making your tablet far more vulnerable to attacks.
- Only download apps you need, and only download them from trusted sources. For iPads, this is simple as only downloading apps from iTunes. These apps are screened by Apple before they are made available. For Google, we recommend you limit your apps to those found on Google Play. While you can download apps from other sites, they are usually not vetted and could be created with malicious intent. Finally, regardless of where you got your app, we recommend you remove it from your tablet once you no longer need or actively use it.
- When installing a new app, make sure you review and set the privacy options, just like you did when initially configuring your new tablet. Be careful of what information you allow the app to access, or what you allow the app to do with that information. For example, does the app you just downloaded really need access to all of your contacts?
- Be sure to install or configure software that allows you to remotely track, lock or erase your tablet in case it is ever lost or stolen.
- Syncing Chrome:
- Dangers of Cloud Computing: http://www.businessnewsdaily.com/5215-dangers-cloud-computing.html
- Common Security Terms: http://www.securingthehuman.org/resources/security-terms
- SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.php
Chad Tilbury is the guest editor of this issue. He has extensive experience investigating computer crimes and is the co-author of the FOR408 Windows Forensics and FOR508 Advanced Forensics and Incident Response classes at the SANS Institute. You can find him on Twitter as @chadtilbury, or on his blog, http://forensicmethods.com.
OUCH! January 2014 issue: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201401_en.pdf. OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.
On October 23rd, LinkedIn began offering Intro, their "Insights in your inbox", which allowed users to see LinkenIn (LI) profiles in their iPhone mail app. This extension of Apple's built-in iOS mail app is accomplished by routing email through a LI proxy server, where LI information is added to messages, which are then returned to the iPhone. According to Martin Kleppmann, senior software engineer at LI, "With Intro you can see at a glance the picture of the person who's emailing you, learn more about their background, and connect with them on LinkedIn." Here's a graphic that demonstrates how this works.
Intro immediately drew criticism from the IT security world, which pointed out that, in essence, Intro intercepted emails in order to inject LinkedIn information, a kind of "man-in-the-middle attack." Bishop Fox, a global security system, responded with the article "LinkedIn 'Intro'duces Insecurity", which listed ten reasons they considered it "a bad thing." These included concerns over attorney-client privilege, that LI changed the content of emails and a device's security profile, that it stores email communications, and its use could be a "gross violation of your company's security policy." They concluded their article by saying that the use of Intro at Bishop Fox would be banned on company devices until they could further investigate, and recommended that others do likewise and not introduce it into their environments.
Martin Kleppman responded to this criticism on the 24th, pointing out that Intro was an "opt-in" feature, requiring users to install it before being able to use it, and that usernames, passwords, and email contents are not permanently stored anywhere inside LinkedIn data centers, but instead, on your iPhone. (See the update on LinkedIn Intro: Doing the Impossible on iOS for a full list of Kleppman's reasons).
Since this story continues to develop and evolve, ISG recommends that LinkedIn/iOS users wait until all the facts are in so that they can make an informed decision on whether or not to use Intro.
- About LinkedIn Intro
- LinkedIn Intro: Doing the Impossible on iOS by Martin Kleppmann, Senior Software Engineer at LinkedIn (10/23)
- Graphic of Intro IMAP Proxy Service and iOS mail client
- LinkedIn ‘Intro’duces Insecurity by;Bishop Fox (10/23)
- LinkedIn wants the keys to your email for its innovative new Intro feature – but can you trust it? by Jon Russell, Asia Editor for The Next Web (10/24)
- LinkedIn’s Intro Feature Is Very Cool And A Spectacularly Bad Idea by Matthew Panzarino, writer for TechCrunch (10/24)
- The Facts about LinkedIn Intro by Cory Scott, Senior Manager, Information Security at LinkedIn (10/26)
- LinkedIn attempts to iron out security concerns surrounding Intro for iOS (author unknown, 10/26)
- LinkedIn defends security of Intro service by Michael Lee, Journalist, ZDNet (10/28)
October is National Cyber Security Awareness Month, a time set aside to heighten awareness of online threats and how to protect yourself, your computer or device, personal information, identity, bank account and/or reputation.
Each October the Information Security Group ratchets up their efforts to bring their message of computing safety to the Brown community. As part of this year's theme of Don't Get Caught, Get Cautious, ISG has planned special Brown Bags, prepared online materials that includes weekly quizzes, and is once again holding a raffle, with prizes that include an iPad mini and Samsung Galaxy Tab 3.
Visit Don't Get Caught, Get Cautious for full details on how to sign up for classes and enter the contest.
When you're sitting on top, you have a great view of others. The downside is, you're now easy to spot and make a better and more tempting target.
As Android's popularity has risen*, so has its attractiveness to hackers. This is akin to underdog Firefox becoming the favored alternative to Internet Explorer when the latter was under seige, and then the hackers turning their sights on the more visible Firefox.
So the bad news for users of Android is that it's now under attack. One way you could be affected is by downloading rogue apps from third-party websites, such as recounted in the August 13, 2013 story New Android malware is being distributed through mobile ad networks.
The good news is, if you read the article closely, you'll notice that the mobile ad networks it mentions are more common in areas where mobile devices can't access the official Google Play store or users have difficulties in purchasing applications in a legitimate manner. According to Antone Gonsalves in his September 27, 2013 article Become a hacker. Coding experience not needed., this is generally in places like "Asia, Eastern Europe and Russia (where) infection rates for Android smartphones are higher because people regularly download apps from sketchy sites. In the U.S., the vast majority of people use Google Play, so the chance of infection is minuscule."
So even though you Android users might breathe a little easier seeing this, note the importance of using Google Play as your marketplace for apps. Since a few bad ones slip through occasionally, it's also a good practice to read the apps reviews and download statistics before clicking that install button.
And for a nice rundown of Android antivirus software, see Darlene Storm's article Mobile malware madness: Favorite target? Android. Here's 3 free security apps. It paints a less rosy picture, but then it is from the point of view of AV vendors. Still some good advice at zero cost to you.
In summary, nothing is safe 100% of the time but you can take some precautions to protect yourself: download only legitimate apps, run an antivirus program, and use your common sense. It something appears a bit iffy, steer clear.
* According to a survey from the Pew Internet & American Life Project, in May 2013, Android lead iOS by 3 percentage points (28% of mobile phone owners' smartphones were Android, 25% running iOS). Read more about smartphone trends at US Smartphone OS Race Still Close, as Men, Younger Users Favor Android.
Do you like spam? Of course I’m talking about unsolicited bulk mail, and not the canned food. That could be a whole other message, which perhaps I’ll address in a future memo. I have a feeling that no one answered yes to my question. No one likes electronic spam, and yet we need to learn to live with it, as it will continue to direct itself to our in-boxes.
Did you know that most of the email around the world is actually spam? While there have been periods where the percentage was consistently over 90%, recent years have the numbers between 85-90%, thanks to the more rapid shutting down of botnets, which are responsible for most of the spam traffic. Brown is not immune to this phenomenon, as these same percentages are seen in messages coming to the Brown domain.
The good news is that a high percentage of them never reach your email box, and many of those that do are stilled identified as spam and sent to the spam folder. I’m sure we all agree that we would not want to sift through that many messages to find the real mail in our box. Compare yourself to Bill Gates, who receives approximately four million messages per year. Imagine going through all those messages each day to find the 1,000 legitimate ones if spam filters did not work!
Spam is not only a nuisance, but it can be malicious in nature, especially if it is also a phishing email. Brown has recently been the victim a several phishing attacks, through which some of our community have fallen victim. Not only does this place the victim’s personal information at risk, but it also propogates the phishing scam deeper throughout our community via the person’s contact list. The Information Security Group and the CIS Help Desk work quickly in indentifying the compromised account, and aid the victim in stopping the attack. This is all part of our mission here at Brown. Still, we wish to get to the point where no one in the Brown community falls for a phishing scam. You can learn tips to help you spot a phish by visiting the ISG Phishing Primer here.
As this is October, and once again Brown is participating in National Cyber Security Awareness Month, we will also be hosting a brown bag on 10/10/13 entitled “Don’t Get Caught…by a Phishing Phony”. Learn about this, and all of the activities of the month at www.brown.edu/go/cybersecurity.
As always, I welcome your comments and feedback. Please feel free to reach out to me directly at email@example.com, or the group at ISG@brown.edu. Let me know how we are doing, areas of concern you may have, or questions on protecting your identity or personal computing security. And remember, sec_rity is not complete without U!
As of October 3rd, the Information Security Group will be located on Brown's main campus in the 169 Angell building, accessed from the entrance on Angell, opposite the Brown Bookstore/Bank of America entrance. Offices are on the second floor in some of the space formerly occupied by the Help Desk (which is now situated in the new Service Center in CIT 101).
Besides performing information security consults on-site, ISG also has a hard drive crusher used for crushing no-longer needed drives containing data covered under the Brown Restricted Information Policy. If you have any that fit that description, or others that you simply desire to destroy, please contact us at ISG@brown.edu to arrange an appointment.
If you are new to Brown or missed ISG's earlier announcements, we recommend that you install and run Identity Finder, a useful addition to anyone's security toolkit. It allows you to scan your computer for any sensitive information that might be stored on it -- such as social security numbers or passwords -- and then take appropriate measures to either secure or remove it.
The enterprise version is available to all active faculty and staff from CIS's software download pages. In addition, students and home users can install a free version available on the Identity Finder website on their personal computers to perform basic search and remediation. More robust personal versions are also available.
ISG recommends that you install and periodically run Identity Finder to detect and secure sensitive data on your computer, which will help protect you from identity theft. More information is available in the Identity Finder FAQ.
Please note: If you already have Identity Finder installed but haven't used it in awhile, you will be asked to update to version 6.2, which is available for download from CIS' Software Distribution site (downloads for Windows andMacintosh are available). Note you will need to delete your current client before installing the new version.
Over 3,200 individuals have taken the Protecting Brown’s Information class to learn what constitutes “Brown Confidential Information”; where, when and how it’s at risk; and what you can do to mitigate that risk. Are you one of them? Or has it been awhile and you’d like a refresher? Materials are available online and include a video of the class and comprehension test. You can register for the online class on LearningPoint.
Would your department like a refresher course, perhaps during a staff meeting? ISG would be happy to come to you. Email us at ISG@brown.edu for more information or if you’re interested in arranging a special session of Protecting Brown Information, which can be tailored to your needs.
The following article appeared in the August 2013 issue of OUCH! magazine and was written by James Tarala. More details about this author and OUCH appear at the end of this article.
Who Are You?
The process of proving who you are (called authentication) is a key step to protecting your online information. You want to be sure only you have access to your private information, so you need a secure method to prove who you are, such as when you check email, purchase something online or access your bank accounts. You can prove who you are in three different ways: what you know, such as a password, what you have, such as your passport, and who you are, such as your fingerprint. Each one of these methods has its advantages and disadvantages. The most common authentication method is using what you know: passwords.
You most likely use passwords almost every day in your life. The purpose of a password is to prove you are who you say you are. This would be an example of something you know. The danger with passwords is that if someone else can guess or gain access to your password, they can then pretend to be you and access all of the information that is secured by it. This is why you are taught steps to protect your password, such as using strong passwords that are hard for attackers to guess. The problem with passwords is they are quickly becoming dated. With newer technologies it is becoming easier for cyber attackers to forcibly test and eventually guess passwords or harvest them with technologies such as keystroke loggers. A simpler yet more secure solution is needed for strong authentication. Fortunately, such an option is becoming more common -- something called two-step verification. To protect yourself, we highly recommend you use this option whenever possible.
Two-step verification (sometimes called two-factor authentication) is a more secure way to prove your identity. Instead of requiring just one step for authentication, such as passwords (which is something you know), it requires two steps. Your ATM card is an example. When you withdraw money from an ATM machine, you are actually using a form of two-step verification. To prove who you are when accessing your money, you need two things: the ATM card (something you have) and the PIN number (something you know). If you lose your ATM card your money is still safe; anyone who finds your card cannot withdraw your money as they do not know your PIN (unless you wrote your PIN on your card, which is a bad idea). The same is true if they only have your PIN and not the card. An attacker must have both to compromise your ATM account. This is what makes two-step verification so much more secure: you have two layers of security.
Using Two-Step Verification
One of the leaders in online two-step verification is Google. With a variety of free online services such as Gmail, Google needed to provide a stronger authentication solution for its millions of users. As such Google rolled out two-step verification for most of its online services. Not only is Google’s two-step verification a free service any Google user can sign-up for, but other online providers are using similar technology for their services, such as Dropbox, Facebook, LinkedIn and Twitter. By understanding how Google’s two-step verification works, you will understand how many other online two-step verification services work.
Google’s two-step verification works as follows. First, you will need your username and password, just as before. That is the first factor, something you know. However, Google then requires a second factor, something you have -- specifically, your smartphone. There are two different ways you can use your smartphone as part of the log in process. The first is to register your phone number with Google. When you attempt to authenticate with yourusername and password, Google will SMS a new, unique code to your smartphone. You then have to enter this number when you log in. The other option is to install Google authentication software on your smartphone. The software then generates a unique code for you. The advantage with this second approach is that you do not need to be connected to a service provider, as your phone generates your code for you.
Two-step verification is usually not enabled by default; it is something you will have to enable yourself. In addition, most mobile apps are not yet compatible with two-step verification. For most mobile apps you will need to use application-specific passwords, which you can generate once you enable two-step verification. Finally, you may have the option of creating recovery keys in case you lose your smartphone. We recommend you print those out and store them in a safe, locked location.
We highly recommend you use two-step verification whenever possible, especially for critical services such as email or file storage. Two-step verification goes much further to protect your information, as criminals have to work much harder to try and compromise your accounts.
Where you can use two-step verification:
Google Two-Step Verification: http://www.google.com/landing/2step/
Common Security Terms: http://www.securingthehuman.org/resources/security-terms
SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.phpTwo
James Tarala is a speaker, author and senior instructor with the SANS Institute. He is a principal consultant at Enclave Security and a contributor to the Critical Security Controls and AuditScripts.com. You can follow James on Twitter @isaudit or meet him in person at one of his upcoming courses.
OUCH! August 2013 issue: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201308_en.pdf
OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.
The latest issue of Secure IT! has been released, now located on the new Information Technology site. While this brings a slightly different look to the newsletter, it continues to offer timely tips to keep you safe online.
We invite you to peruse this issue, view back issues (to 2010) and send us ideas for future ones. Enjoy!
- CISO Memo: Spam, Spam, Spam, Spam :: A nuisance that can also be malicious.
- October means National Cyber Security Awareness Month :: And lots of chances to "Don't Get Caught, Get Cautious" and enter a contest to win an iPad mini or Samsung Galaxy Tab 3.
- Identity Finder Reminder :: Not running Identity Finder regularly? Find out how and why.
- Android Malware :: Being popular makes you a desirable target.
- ISG Moves to Main Campus :: Now conveniently located at the intersection of Angell & Thayer.
- Two-Step Verification :: When passwords aren't enough.
- Protecting Brown's Information :: Never taken the class? Like a refresher?
Here are ISG's Ten Travel Tips for your mobile device, especially for those traveling outside of the U.S. Please take a few moments to review them as an ounce of prevention now can save a pound of trouble later.
- Contact your cellular provider several weeks before you travel to discuss and activate the most cost-effective plan to fit your needs. For Brown devices, contact Telecommunications at 863-2007 or firstname.lastname@example.org. For non-Brown devices, users can contact their cellular provider directly.
- For phones, familiarize yourself with international roaming and data charges. We recommend turning off or setting a limit on cellular data usage for your smartphone to prevent incurring significant fees.
- Consider using Google+ Hangouts to bypass the phone. See the About Hangouts site for help on getting started.
- When traveling with a laptop, remove all PII from it or encrypt it. If possible, we recommend using a laptop specifically designated for travel with no personal information on it. Note: CIS has loaner laptops for faculty, staff and grad students who are working on projects when traveling abroad. The loaners can be signed out at the Computer Service & Repair window.
- Become aware of and comply with all export controls. For example, some countries ban or severely regulate the use of encryption, you should check country-specific information before traveling with an encrypted laptop. See the Symantec Endpoint Encryption FAQ on international traveling restrictions for details.
- Set a strong password or passcode for your device. Here are some ideas on how to create a strong and memorable password.
- Make sure all operating system and anti-malware software is current. If you haven't installed an anti-malware client for your phone, do so.
- Install device finder software, such as Computrace (for laptops) or Lookout (for tablets and phones).
- Use VPN to connect to Brown's network when away from it. CIS offers both a web and client versions. If you haven't used VPN before, test it before leaving.
- Make sure you have contact information for your local IT support professional and the Help Desk before you leave (email@example.com, 863-4357).