Do you like spam? Of course I’m talking about unsolicited bulk mail, and not the canned food. That could be a whole other message, which perhaps I’ll address in a future memo. I have a feeling that no one answered yes to my question. No one likes electronic spam, and yet we need to learn to live with it, as it will continue to direct itself to our in-boxes.
Did you know that most of the email around the world is actually spam? While there have been periods where the percentage was consistently over 90%, recent years have the numbers between 85-90%, thanks to the more rapid shutting down of botnets, which are responsible for most of the spam traffic. Brown is not immune to this phenomenon, as these same percentages are seen in messages coming to the Brown domain.
The good news is that a high percentage of them never reach your email box, and many of those that do are stilled identified as spam and sent to the spam folder. I’m sure we all agree that we would not want to sift through that many messages to find the real mail in our box. Compare yourself to Bill Gates, who receives approximately four million messages per year. Imagine going through all those messages each day to find the 1,000 legitimate ones if spam filters did not work!
Spam is not only a nuisance, but it can be malicious in nature, especially if it is also a phishing email. Brown has recently been the victim a several phishing attacks, through which some of our community have fallen victim. Not only does this place the victim’s personal information at risk, but it also propogates the phishing scam deeper throughout our community via the person’s contact list. The Information Security Group and the CIS Help Desk work quickly in indentifying the compromised account, and aid the victim in stopping the attack. This is all part of our mission here at Brown. Still, we wish to get to the point where no one in the Brown community falls for a phishing scam. You can learn tips to help you spot a phish by visiting the ISG Phishing Primer here.
As this is October, and once again Brown is participating in National Cyber Security Awareness Month, we will also be hosting a brown bag on 10/10/13 entitled “Don’t Get Caught…by a Phishing Phony”. Learn about this, and all of the activities of the month at www.brown.edu/go/cybersecurity.
As always, I welcome your comments and feedback. Please feel free to reach out to me directly at firstname.lastname@example.org, or the group at ISG@brown.edu. Let me know how we are doing, areas of concern you may have, or questions on protecting your identity or personal computing security. And remember, sec_rity is not complete without U!
When you're sitting on top, you have a great view of others. The downside is, you're now easy to spot and make a better and more tempting target.
As Android's popularity has risen*, so has its attractiveness to hackers. This is akin to underdog Firefox becoming the favored alternative to Internet Explorer when the latter was under seige, and then the hackers turning their sights on the more visible Firefox.
So the bad news for users of Android is that it's now under attack. One way you could be affected is by downloading rogue apps from third-party websites, such as recounted in the August 13, 2013 story New Android malware is being distributed through mobile ad networks.
The good news is, if you read the article closely, you'll notice that the mobile ad networks it mentions are more common in areas where mobile devices can't access the official Google Play store or users have difficulties in purchasing applications in a legitimate manner. According to Antone Gonsalves in his September 27, 2013 article Become a hacker. Coding experience not needed., this is generally in places like "Asia, Eastern Europe and Russia (where) infection rates for Android smartphones are higher because people regularly download apps from sketchy sites. In the U.S., the vast majority of people use Google Play, so the chance of infection is minuscule."
So even though you Android users might breathe a little easier seeing this, note the importance of using Google Play as your marketplace for apps. Since a few bad ones slip through occasionally, it's also a good practice to read the apps reviews and download statistics before clicking that install button.
And for a nice rundown of Android antivirus software, see Darlene Storm's article Mobile malware madness: Favorite target? Android. Here's 3 free security apps. It paints a less rosy picture, but then it is from the point of view of AV vendors. Still some good advice at zero cost to you.
In summary, nothing is safe 100% of the time but you can take some precautions to protect yourself: download only legitimate apps, run an antivirus program, and use your common sense. It something appears a bit iffy, steer clear.
* According to a survey from the Pew Internet & American Life Project, in May 2013, Android lead iOS by 3 percentage points (28% of mobile phone owners' smartphones were Android, 25% running iOS). Read more about smartphone trends at US Smartphone OS Race Still Close, as Men, Younger Users Favor Android.
As of October 3rd, the Information Security Group will be located on Brown's main campus in the 169 Angell building, accessed from the entrance on Angell, opposite the Brown Bookstore/Bank of America entrance. Offices are on the second floor in some of the space formerly occupied by the Help Desk (which is now situated in the new Service Center in CIT 101).
Besides performing information security consults on-site, ISG also has a hard drive crusher used for crushing no-longer needed drives containing data covered under the Brown Restricted Information Policy. If you have any that fit that description, or others that you simply desire to destroy, please contact us at ISG@brown.edu to arrange an appointment.
The following article appeared in the August 2013 issue of OUCH! magazine and was written by James Tarala. More details about this author and OUCH appear at the end of this article.
Who Are You?
The process of proving who you are (called authentication) is a key step to protecting your online information. You want to be sure only you have access to your private information, so you need a secure method to prove who you are, such as when you check email, purchase something online or access your bank accounts. You can prove who you are in three different ways: what you know, such as a password, what you have, such as your passport, and who you are, such as your fingerprint. Each one of these methods has its advantages and disadvantages. The most common authentication method is using what you know: passwords.
You most likely use passwords almost every day in your life. The purpose of a password is to prove you are who you say you are. This would be an example of something you know. The danger with passwords is that if someone else can guess or gain access to your password, they can then pretend to be you and access all of the information that is secured by it. This is why you are taught steps to protect your password, such as using strong passwords that are hard for attackers to guess. The problem with passwords is they are quickly becoming dated. With newer technologies it is becoming easier for cyber attackers to forcibly test and eventually guess passwords or harvest them with technologies such as keystroke loggers. A simpler yet more secure solution is needed for strong authentication. Fortunately, such an option is becoming more common -- something called two-step verification. To protect yourself, we highly recommend you use this option whenever possible.
Two-step verification (sometimes called two-factor authentication) is a more secure way to prove your identity. Instead of requiring just one step for authentication, such as passwords (which is something you know), it requires two steps. Your ATM card is an example. When you withdraw money from an ATM machine, you are actually using a form of two-step verification. To prove who you are when accessing your money, you need two things: the ATM card (something you have) and the PIN number (something you know). If you lose your ATM card your money is still safe; anyone who finds your card cannot withdraw your money as they do not know your PIN (unless you wrote your PIN on your card, which is a bad idea). The same is true if they only have your PIN and not the card. An attacker must have both to compromise your ATM account. This is what makes two-step verification so much more secure: you have two layers of security.
Using Two-Step Verification
One of the leaders in online two-step verification is Google. With a variety of free online services such as Gmail, Google needed to provide a stronger authentication solution for its millions of users. As such Google rolled out two-step verification for most of its online services. Not only is Google’s two-step verification a free service any Google user can sign-up for, but other online providers are using similar technology for their services, such as Dropbox, Facebook, LinkedIn and Twitter. By understanding how Google’s two-step verification works, you will understand how many other online two-step verification services work.
Google’s two-step verification works as follows. First, you will need your username and password, just as before. That is the first factor, something you know. However, Google then requires a second factor, something you have -- specifically, your smartphone. There are two different ways you can use your smartphone as part of the log in process. The first is to register your phone number with Google. When you attempt to authenticate with yourusername and password, Google will SMS a new, unique code to your smartphone. You then have to enter this number when you log in. The other option is to install Google authentication software on your smartphone. The software then generates a unique code for you. The advantage with this second approach is that you do not need to be connected to a service provider, as your phone generates your code for you.
Two-step verification is usually not enabled by default; it is something you will have to enable yourself. In addition, most mobile apps are not yet compatible with two-step verification. For most mobile apps you will need to use application-specific passwords, which you can generate once you enable two-step verification. Finally, you may have the option of creating recovery keys in case you lose your smartphone. We recommend you print those out and store them in a safe, locked location.
We highly recommend you use two-step verification whenever possible, especially for critical services such as email or file storage. Two-step verification goes much further to protect your information, as criminals have to work much harder to try and compromise your accounts.
Where you can use two-step verification:
Google Two-Step Verification: http://www.google.com/landing/2step/
Common Security Terms: http://www.securingthehuman.org/resources/security-terms
SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.phpTwo
James Tarala is a speaker, author and senior instructor with the SANS Institute. He is a principal consultant at Enclave Security and a contributor to the Critical Security Controls and AuditScripts.com. You can follow James on Twitter @isaudit or meet him in person at one of his upcoming courses.
OUCH! August 2013 issue: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201308_en.pdf
OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.
Over 3,200 individuals have taken the Protecting Brown’s Information class to learn what constitutes “Brown Confidential Information”; where, when and how it’s at risk; and what you can do to mitigate that risk. Are you one of them? Or has it been awhile and you’d like a refresher? Materials are available online and include a video of the class and comprehension test. You can register for the online class on LearningPoint.
Would your department like a refresher course, perhaps during a staff meeting? ISG would be happy to come to you. Email us at ISG@brown.edu for more information or if you’re interested in arranging a special session of Protecting Brown Information, which can be tailored to your needs.
The University Library, with support from the Office of the Provost, is pleased to announce the availability of the New York Times via a site license for the Brown community. The site license enables Brown community members (current students, faculty and staff) to access the Times’ current content without an individual subscription or monthly limits.
The one-year pilot of the service is now in effect. To get started, please go to the New York Times Help Page.
Photo credit: Sarah Gilbert, Flickr
Upload your Syllabus
Add a copy of your syllabus to the Academic Services Gateway.
Note: Once you upload your syllabus file, it may take up to 6-hours to appear on courses.brown.edu and Banner. For Canvas users, your syllabus will be uploaded immediately to the Syllabus folder for your course site.
For shopping period, instructors may direct students to courses.brown.edu to download syllabi and gain access to Canvas course materials. During shopping, instructors can distinguish Banner-registered students from shoppers using the "Registration Info" button in the Canvas course navigation menu. Learn more about shopping period and Canvas (and send this shopping period tip sheet to your students.)
Note: Students can find captured video lectures for recorded courses during the High Holidays from the EchoCenter within Canvas (see left navigation in Canvas).
Publish Your Course
Students (including shoppers) will not be able to access course content until a course is published. From the Canvas Course Setup Checklist, click on the "Publish Course" step to make your course accessible to enrolled students. All Banner enrolled students will appear in your Canvas course site. Use the Student View to double check things are in order. Watch a video tutorial to learn more about publishing your course.
Do you have TAs or want to add other users not officially associated with your course? Submit this form (brown.edu/go/addcanvasusers) with your course information and the Brown email addresses of your TAs. They will gain access to Canvas and other course resources by the end of the next business day. Be sure to submit this form to grant OCRA access as well!
Activate your E-Reserves
Are you using OCRA E-Reserves for access to online readings, audio, and films? Activate your electronic reserves through the Library (library.brown.edu/reserves) and enable the E-Reserves button in Canvas. Please note film requests require at least 10 business days for your films to be reactivated. Watch a video tutorial to learn more about adding the E-Reserves button to your Canvas site.
Whether you're a new arrival or seasoned veteran, everyone in the Brown community is affected by, and should therefore be aware of, its computing policies. Adopted to ensure an equitable, appropriate, and legal use of Brown resources, these documents spell out your rights and responsibilities when using the University's computing resources.
Key policies include Acceptable Use, Network Connection, Copyright Infringement and the Policy on the Handling of Brown Restricted Information.
According to the Acceptable Use Policy, "acceptable use means respecting the rights of other computer users, the integrity of the physical facilities and all pertinent license and contractual agreements." Respecting the computing resources at Brown University is important because they "support the educational, instructional, research, and administrative activities of the University and the use of these resources is a privilege that is extended to members of the Brown community. As a user of these services and facilities, you have access to valuable University resources, to sensitive data, and to internal and external networks. Consequently, it is important for you to behave in a responsible, ethical, and legal manner."
So as you start a new—or your first—year at Brown, you are encouraged to become acquainted with the Computing Policy site, for your benefit of yours as well as everyone else's in our community.
Having trouble connecting? We've collected our top issues and how to solve them. For your privacy, security, and convenience, it's important that your computer and mobile devices are set up to connect to the Brown-Secure wireless network.