The latest issue of Secure IT! has been released. We invite you to peruse this issue, view back issues (to 2010) and send us ideas for future ones. Enjoy!
- CISO Memo: It's All About Privacy :: With so much of our lives and actions online, protecting one's privacy is becoming increasingly more difficult. ISG is here to help.
- Identity Finder Reminder :: Not running Identity Finder regularly? Find out why you should.
- Targeted in a Recent Security Breach? :: Were you affected by the latest retail security breaches? Read ISG's recommendations on what you can do.
- Secure Your Home Network :: In his recent article "The Internet of Things is Wildly Insecure", security expert Bruce Schneier said, "If we don't solve this soon, we're in for a security disaster as hackers figure out that it's easier to hack routers than computers." Find out if your home router at risk and what you can do to mitigate it.
- Securing Your New Tablet If Santa surprised you with a new tablet, learn how to keep it safe.
- Follow us on Twitter :: ISG and CISO alerts, tips and more.
Brown is participating in National Data Privacy Month from January 28th-February 28th, 2014. While not as an intensive campaign as we do each October for Cyber Security Month, there are still opportunities to hear from experts, learn how to protect your individual privacy online, and view an intriguing documentary. More on that later.
Privacy is a large concern to many people, and with so much of our lives and actions online, protecting one’s privacy is becoming increasingly more difficult. I'm sure that you are all aware of the breach of credit cards and personal information from Target, and maybe even have been directly impacted by it. With more and more information being made available by the company, it is now considered the largest breach in the history of personal data. While we laugh that it is no surprise given the name "target", it is no laughing matter. Many of the victims have had their finances, credit and personal lives negatively impacted. Sadly, attacks such as this will continue, as the value of the data continues to increase.
Maintaining your privacy takes effort, and the ISG is here to help. With webpages offering advice, a national webcast on January 30th by Robert Ellis Smith (the nation’s leading privacy advocate), and an ISG brown bag lunch February 24 on "Your Life Online", you have opportunities over the next few weeks to gain insight and knowledge on not only protecting your privacy, but what to do if your information is leaked.
We will also be providing a screening of an intriguing documentary called Terms and Conditions May Apply. Including a Q&A session afterwards with leading members of the Brown community in this area, it will be both an eye-opening and valuable night. I hope that you can attend. Details at brown.edu/go/TACMA.
As always, I welcome your comments and feedback. Please feel free to reach out to me directly at email@example.com, or the group at ISG@brown.edu. Let me know how we are doing, areas of concern you may have, or questions on protecting your identity, privacy or personal computing security. And remember, sec_rity is not complete without U!
Think you may have been part of a security breach affecting Target or other retailers? ISG recommends that, whether or not you might have been a victim, there are a few things you can do to protect your identity as well as financial reputation.
Keep an eye on your bank account statements
Most banking institutions allow you to set alerts for unusual activity, so that information is pushed to you rather than your needing to remember to log into your account everyday. Jay Gatten of The Human Defense suggests having a text sent to you for any transaction (including cash withdrawals) over $100 (or whatever amount you are most comfortable with).
Debit or Credit?
Gatten as well as others also recommend not using your debit card as a debit card, since its PIN could be captured when slid or inserted in a rogue POS (point of sale) device. Instead, use credit cards whenever possible, which allow you to use the bank's money until you pay it back. This is the reason they will take immediate action if there is a chance of credit card fraud. (Watch this recent news story for more on debit versus credit.) Another alternative: use cash whenever possible, such as at gas stations.
Order free credit reports
An amendment to the federal Fair Credit Reporting Act requires each of the three major nationwide consumer reporting companies (Equifax, Experian and Trans Union) to provide you with a free copy of your credit report, at your request, once every 12 months. This means you can track request a report every four months. You can order reports at www.AnnualCreditReport.com.
FTC & Identity Theft
Beware phishing attempts
Some of the expected fallout from the recent breaches is phishy emails, text or even phone calls to those whose personal information was stolen. Because of this, be extra vigilant for anything that doesn't quite seem right. Learn how to spot a phish at www.brown.edu/go/phishing. Unfortunately, the "Important message from Target to our guests" email that was sent mid-January looks a bit phishy. What do you think they could have done better? On the plus side, the letters did contain helpful recommendations, much like what was contained here. But it also included an offer for a free credit report that some have found confusing or are unable to act upon since they don't have email and access to the Internet.
Home networks were relatively simple several years ago, perhaps nothing more than a wireless access point and a computer or two used to surf the Internet or play games online. However, home networks have become increasingly complex. Not only are we connecting more devices to our home networks, but we are doing more things with them. In this edition we will cover some basic steps to creating a more secure home network.
Your Wireless Network
Almost every home network starts with a wireless network (sometimes called a Wi-Fi network). This is what enables you to wirelessly connect any of your devices to the Internet, from laptops and tablets to gaming consoles and televisions. For this to happen, your wireless network needs something called a wireless access point. This is a physical device that connects to your Internet router (or may be built into your Internet router) and sends out a wireless signal that your devices connect to. Once your devices connect to the access point, they can then connect to other devices on your home network and the Internet. As a result, your wireless access point is one of the key parts of your home network. As such, we recommend the following steps to securing it:
- For most wireless access points, the default administrator login and password is well-known and often even posted on the Internet. As such, be sure to change the default administrator login and password to something that only you know. Make sure that it is a unique password and is not used for any of your other accounts.
- Another option you will need to configure is the name of your wireless network (sometimes called your SSID). This is the name your devices will see when they search for local wireless networks. Give your network name something unique so you can easily identify it, but make sure it does not contain any personal information. Also, there is little value in configuring your network as hidden (or non-broadcast). Most wireless scanning tools or any skilled attacker can easily discover the details of a hidden network.
- The next step is ensuring that only people you know and trust can connect to and use your wireless network, and that those connections are encrypted. You want to be sure that neighbors or strangers cannot connect to or monitor your network. You can easily mitigate these risks by enabling strong security on your wireless access point. Currently, the best option is to use the security mechanism WPA2. By simply enabling this, you require a password for people to connect to your home network and, once authenticated, those connections are encrypted. Be sure you do not use older, outdated security methods such as WEP, or no security at all (which is called an open network). An open network allows anyone to connect to your wireless network without any authentication.
- Make sure the password people will use to connect to your wireless network is a strong, hard-to-guess password and that it is different from the administrator password. Remember, you most likely have to enter the password only once for each of your devices, as they will each store and remember the password.
- Many wireless access points support what is called a Guest Network. A Guest Network allows visitors to connect to your wireless access point and access the Internet, but they cannot connect to any of the devices on your home network. If you add a Guest Network, be sure to enable WPA2 and a different password for this network.
- If you can’t remember the different passwords then use a password manager to securely store them.
Once you have your wireless network configured, we recommend you configure your home network to use OpenDNS as your DNS servers (or a similar service, such as Norton ConnectSafe for Home). When you type a name into your browser, DNS is how your browser knows which server on the Internet to connect to. Services such as OpenDNS identify known, infected websites and stop any device connected to your home wireless network from accidentally visiting these infected websites. In addition, these services often give you the ability to filter and block objectionable websites. What makes this approach so effective is there is no software to install on your devices, you just make a change to your wireless access point.
The next step involves knowing what is connected to your home network and making sure those devices are secure. This used to be simple, as you only had a few devices connected in the past. Nowadays, however, almost anything can connect to your home network, including TVs, gaming consoles, baby monitors, speakers, your house thermometer and even your car. Once you identify all the devices on your home network, you may be surprised by just how many you have. The best way to keep all of these devices secure is to ensure they are always running the latest version of their operating system. Be sure you have auto-update enabled when possible. If this is not an option, then review and update your devices monthly, if possible. In addition, be sure to visit your Internet service provider's website, as they may provide free tools and services to help you secure your home network.
- OpenDNS: http://www.opendns.org
- Norton ConnectSafe: http://dns.norton.com/dnsweb/dnsForHome.do
- Network Security Scanner: http://www.sophos.com/en-us/products/free-tools/network-security-scan.aspx
- Password Managers: http://www.securingthehuman.org/resources/newsletters/ouch/2013#october2013
Note: This article was prepared by Kevin Johnson, who is the CEO at Secure Ideas, runs MySecurityScanner.com and is a senior instructor with the SANS Institute. You can find more information at www.secureideas.com. It was prepared for the January 2014 issue of OUCH!, Securing Your New Tablet. OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license. You are free to share or distribute this article as long as you do not sell or modify it. For past editions or translated versions, visit www.securingthehuman.org/ouch. Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis
Excited about your new tablet? Top tips to keep it safe and secure are: use some type of screen or passcode lock, run the latest version of the operating system and be mindful of your privacy and Cloud options.
Get the details from Chad Tilbury, who prepared this article that appeared in the December 2013 issue of OUCH! newsletter. More details about this author and the newsletter appear at the end of this article.
Your New Tablet
Congratulations on your new tablet. This technology is a powerful and convenient way to communicate with others, shop online, read, listen to music, game and perform a myriad of other activities. Since this new tool may become an important part of your daily life, we strongly encourage you to take some simple steps to help keep it safe and secure.
Securing Your Tablet
The first step is to set a passcode or some other screen locking mechanism. Tablets are easy to take wherever you go, which also means they are easy to lose or have stolen. To help prevent your information from falling into the wrong hands, be sure you lock your tablet screen with some type of hard-to-guess PIN, passcode or swiping motions. In newer devices, there may be some type of biometric authentication, such as a fingerprint reader. Use the strongest method your tablet supports, and be sure to set your tablet so that it locks automatically after a short idle time.
Next, update your tablet so it has the latest version of its operating system. Bad guys are constantly finding new weaknesses in software, and vendors are constantly releasing new updates and patches to fix them. By running the latest operating system, you make it harder for anyone to hack into your tablet.
Pay attention when configuring your tablet for the first time. The most important configuration choices will be your privacy and Cloud options. Privacy is about protecting your personal information. One of your tablet’s biggest privacy issues is its ability to know and track your location. We recommend that you go into the privacy features and disable location tracking for everything, then enable it on an app-by-app basis. For some apps, it is important to be able to track your location (such as mapping software or finding a local restaurant near you), but the majority of apps do not need real-time location information.
The other important option is Cloud storage. Cloud services such as Apple’s iCloud, Microsoft’s Skydrive, Dropbox or Google Drive allow you to store your data on servers through the Internet. Most tablets have built-in options for automatically storing just about anything in the Cloud, including documents, pictures and videos. Think about the sensitivity of your data and decide whether it is appropriate to store it in the Cloud. Make sure you understand how your data will be protected (such as by a password) and how you can control who will have access to it. The last thing you want is for the private pictures you just took to be posted on the Internet without your knowledge, complete with their geo-location information embedded.
Be aware that tablets are increasingly synchronizing your apps with other devices, like your smartphone or laptop. This is common with many applications (including Google’s Chrome), is pervasive in Windows 8 and is one of the most widely used features of iCloud. Device synchronization can be a wonderful feature, but if you have it enabled, don’t be surprised to see the sites you visited or the tabs you created on your tablet’s browser appear in your browser at work.
Keeping Your Tablet Secure
Once you have your tablet secured, you want to be sure it stays that way. Here are some simple steps for you to consider as you continue to use your tablet:
- Keep your tablet operating system and apps current and running their latest version. Many tablets now automatically update your apps, a feature we encourage you to enable.
- Do not jailbreak or hack into your own tablet. This will bypass and render a tremendous number of security controls useless, making your tablet far more vulnerable to attacks.
- Only download apps you need, and only download them from trusted sources. For iPads, this is simple as only downloading apps from iTunes. These apps are screened by Apple before they are made available. For Google, we recommend you limit your apps to those found on Google Play. While you can download apps from other sites, they are usually not vetted and could be created with malicious intent. Finally, regardless of where you got your app, we recommend you remove it from your tablet once you no longer need or actively use it.
- When installing a new app, make sure you review and set the privacy options, just like you did when initially configuring your new tablet. Be careful of what information you allow the app to access, or what you allow the app to do with that information. For example, does the app you just downloaded really need access to all of your contacts?
- Be sure to install or configure software that allows you to remotely track, lock or erase your tablet in case it is ever lost or stolen.
- Syncing Chrome:
- Dangers of Cloud Computing:http://www.businessnewsdaily.com/5215-dangers-cloud-computing.html
- Common Security Terms:http://www.securingthehuman.org/resources/security-terms
- SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.php
Chad Tilbury is the guest editor of this issue. He has extensive experience investigating computer crimes and is the co-author of the FOR408 Windows Forensics and FOR508 Advanced Forensics and Incident Response classes at the SANS Institute. You can find him on Twitter as @chadtilbury, or on his blog, http://forensicmethods.com.
OUCH! January 2014 issue: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201401_en.pdf. OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.
Keep up with alerts and tips from the Information Security Group by following us on Twitter at https://twitter.com/ISGatBrown and https://twitter.com/CISOatBrownU. Here's a sample of a recent tweet so you can see what you're missing:
ISG @ Brown @ISGatBrown: Do you know your #privacy IQ? 10 quick Q's to find out, brought to you by StaySafeOnline & ZeroKnowledgePrivacy.org: http://myprivacyiq.com/
If you are new to Brown or missed ISG's earlier announcements, we recommend that you install and run Identity Finder, a useful addition to anyone's security toolkit. It allows you to scan your computer for any sensitive information that might be stored on it -- such as social security numbers or passwords -- and then take appropriate measures to either secure or remove it.
The enterprise version is available to all active faculty and staff from CIS's software download pages. In addition, students and home users can install a free version available on the Identity Finder website on their personal computers to perform basic search and remediation. More robust personal versions are also available.
ISG recommends that you install and periodically run Identity Finder to detect and secure sensitive data on your computer, which will help protect you from identity theft. More information is available in the Identity Finder FAQ.
Please note: If you already have Identity Finder installed but haven't used it in awhile, you will be asked to update to version 6.2, which is available for download from CIS' Software Distribution site (downloads for Windows andMacintosh are available). Note you will need to delete your current client before installing the new version.
Is your mobile phone number in MyAccount? Not only is a mobile phone number important for emergency notifications, but it can also be used to reset a forgotten password for your Brown username by following the Forgot Password link on most Brown login pages. Enter your mobile phone number at http://brown.edu/myaccount today, and don't forget to put a password lock on your phone to stay secure.
Maybe you’ve been meaning to make your password more secure but are afraid you’ll forget it. With this new feature, if you forget your strong password, you can always reset it yourself instead of having to visit the Computing Accounts and Passwords office in person. We recommend choosing a 10 character (or longer) password.
This video shows how the new self-service password reset works:
If you are having trouble connecting your device (computer, smartphone, etc.) to Brown-Secure wireless or would like to report a coverage issue, please stop by one of our upcoming clinics:
- Thursday 11/21, 2 pm - 4 pm, atrium of the CIT Building
- Thursday 12/5, 3:30 pm - 5 pm Stephen Robert '62 Campus Center
- Thursday 12/12, 3:30 pm - 5 pm Sci-Li (main floor)
- Thursday 12/19, 3 pm - 5 pm in the Alpert Medical School Main Lobby
- Thursday 1/23/14, 9am - 5pm, atrium of the CIT Building
- Tuesday 1/28/14, 3pm - 5pm, Digital Scholarship Lab, Rockefeller Library
- Thursday 1/30/14, 3pm - 5pm, Hecker Center, Rockefeller Library