The following article appeared in the August 2013 issue of OUCH! magazine and was written by James Tarala. More details about this author and OUCH appear at the end of this article.
Who Are You?
The process of proving who you are (called authentication) is a key step to protecting your online information. You want to be sure only you have access to your private information, so you need a secure method to prove who you are, such as when you check email, purchase something online or access your bank accounts. You can prove who you are in three different ways: what you know, such as a password, what you have, such as your passport, and who you are, such as your fingerprint. Each one of these methods has its advantages and disadvantages. The most common authentication method is using what you know: passwords.
You most likely use passwords almost every day in your life. The purpose of a password is to prove you are who you say you are. This would be an example of something you know. The danger with passwords is that if someone else can guess or gain access to your password, they can then pretend to be you and access all of the information that is secured by it. This is why you are taught steps to protect your password, such as using strong passwords that are hard for attackers to guess. The problem with passwords is they are quickly becoming dated. With newer technologies it is becoming easier for cyber attackers to forcibly test and eventually guess passwords or harvest them with technologies such as keystroke loggers. A simpler yet more secure solution is needed for strong authentication. Fortunately, such an option is becoming more common -- something called two-step verification. To protect yourself, we highly recommend you use this option whenever possible.
Two-step verification (sometimes called two-factor authentication) is a more secure way to prove your identity. Instead of requiring just one step for authentication, such as passwords (which is something you know), it requires two steps. Your ATM card is an example. When you withdraw money from an ATM machine, you are actually using a form of two-step verification. To prove who you are when accessing your money, you need two things: the ATM card (something you have) and the PIN number (something you know). If you lose your ATM card your money is still safe; anyone who finds your card cannot withdraw your money as they do not know your PIN (unless you wrote your PIN on your card, which is a bad idea). The same is true if they only have your PIN and not the card. An attacker must have both to compromise your ATM account. This is what makes two-step verification so much more secure: you have two layers of security.
Using Two-Step Verification
One of the leaders in online two-step verification is Google. With a variety of free online services such as Gmail, Google needed to provide a stronger authentication solution for its millions of users. As such Google rolled out two-step verification for most of its online services. Not only is Google’s two-step verification a free service any Google user can sign-up for, but other online providers are using similar technology for their services, such as Dropbox, Facebook, LinkedIn and Twitter. By understanding how Google’s two-step verification works, you will understand how many other online two-step verification services work.
Google’s two-step verification works as follows. First, you will need your username and password, just as before. That is the first factor, something you know. However, Google then requires a second factor, something you have -- specifically, your smartphone. There are two different ways you can use your smartphone as part of the log in process. The first is to register your phone number with Google. When you attempt to authenticate with yourusername and password, Google will SMS a new, unique code to your smartphone. You then have to enter this number when you log in. The other option is to install Google authentication software on your smartphone. The software then generates a unique code for you. The advantage with this second approach is that you do not need to be connected to a service provider, as your phone generates your code for you.
Two-step verification is usually not enabled by default; it is something you will have to enable yourself. In addition, most mobile apps are not yet compatible with two-step verification. For most mobile apps you will need to use application-specific passwords, which you can generate once you enable two-step verification. Finally, you may have the option of creating recovery keys in case you lose your smartphone. We recommend you print those out and store them in a safe, locked location.
We highly recommend you use two-step verification whenever possible, especially for critical services such as email or file storage. Two-step verification goes much further to protect your information, as criminals have to work much harder to try and compromise your accounts.
Where you can use two-step verification:
Google Two-Step Verification: http://www.google.com/landing/2step/
Common Security Terms: http://www.securingthehuman.org/resources/security-terms
SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.phpTwo
James Tarala is a speaker, author and senior instructor with the SANS Institute. He is a principal consultant at Enclave Security and a contributor to the Critical Security Controls and AuditScripts.com. You can follow James on Twitter @isaudit or meet him in person at one of his upcoming courses.
OUCH! August 2013 issue: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201308_en.pdf
OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.
Over 3,200 individuals have taken the Protecting Brown’s Information class to learn what constitutes “Brown Confidential Information”; where, when and how it’s at risk; and what you can do to mitigate that risk. Are you one of them? Or has it been awhile and you’d like a refresher? Materials are available online and include a video of the class and comprehension test. You can register for the online class on LearningPoint.
Would your department like a refresher course, perhaps during a staff meeting? ISG would be happy to come to you. Email us at ISG@brown.edu for more information or if you’re interested in arranging a special session of Protecting Brown Information, which can be tailored to your needs.
The University Library, with support from the Office of the Provost, is pleased to announce the availability of the New York Times via a site license for the Brown community. The site license enables Brown community members (current students, faculty and staff) to access the Times’ current content without an individual subscription or monthly limits.
The one-year pilot of the service is now in effect. To get started, please go to the New York Times Help Page.
Photo credit: Sarah Gilbert, Flickr
Upload your Syllabus
Add a copy of your syllabus to the Academic Services Gateway.
Note: Once you upload your syllabus file, it may take up to 6-hours to appear on courses.brown.edu and Banner. For Canvas users, your syllabus will be uploaded immediately to the Syllabus folder for your course site.
For shopping period, instructors may direct students to courses.brown.edu to download syllabi and gain access to Canvas course materials. During shopping, instructors can distinguish Banner-registered students from shoppers using the "Registration Info" button in the Canvas course navigation menu. Learn more about shopping period and Canvas (and send this shopping period tip sheet to your students.)
Note: Students can find captured video lectures for recorded courses during the High Holidays from the EchoCenter within Canvas (see left navigation in Canvas).
Publish Your Course
Students (including shoppers) will not be able to access course content until a course is published. From the Canvas Course Setup Checklist, click on the "Publish Course" step to make your course accessible to enrolled students. All Banner enrolled students will appear in your Canvas course site. Use the Student View to double check things are in order. Watch a video tutorial to learn more about publishing your course.
Do you have TAs or want to add other users not officially associated with your course? Submit this form (brown.edu/go/addcanvasusers) with your course information and the Brown email addresses of your TAs. They will gain access to Canvas and other course resources by the end of the next business day. Be sure to submit this form to grant OCRA access as well!
Activate your E-Reserves
Are you using OCRA E-Reserves for access to online readings, audio, and films? Activate your electronic reserves through the Library (library.brown.edu/reserves) and enable the E-Reserves button in Canvas. Please note film requests require at least 10 business days for your films to be reactivated. Watch a video tutorial to learn more about adding the E-Reserves button to your Canvas site.
Whether you're a new arrival or seasoned veteran, everyone in the Brown community is affected by, and should therefore be aware of, its computing policies. Adopted to ensure an equitable, appropriate, and legal use of Brown resources, these documents spell out your rights and responsibilities when using the University's computing resources.
Key policies include Acceptable Use, Network Connection, Copyright Infringement and the Policy on the Handling of Brown Restricted Information.
According to the Acceptable Use Policy, "acceptable use means respecting the rights of other computer users, the integrity of the physical facilities and all pertinent license and contractual agreements." Respecting the computing resources at Brown University is important because they "support the educational, instructional, research, and administrative activities of the University and the use of these resources is a privilege that is extended to members of the Brown community. As a user of these services and facilities, you have access to valuable University resources, to sensitive data, and to internal and external networks. Consequently, it is important for you to behave in a responsible, ethical, and legal manner."
So as you start a new—or your first—year at Brown, you are encouraged to become acquainted with the Computing Policy site, for your benefit of yours as well as everyone else's in our community.
Having trouble connecting? We've collected our top issues and how to solve them. For your privacy, security, and convenience, it's important that your computer and mobile devices are set up to connect to the Brown-Secure wireless network.
Are you frustrated with Gmail compose windows that are "stuck" to the bottom right corner of your browser? Learn how to set them free with this video tip.
Google Forms recently updated to be more consistent with other Google Drive document types. Two helpful new features are auto save and real-time collaboration. The new format is fairly intuitive, but you should be aware of one major change – form responses do not get collected in a spreadsheet by default.
To indicate that you would like to collect responses in a spreadsheet, click the “Choose response destination” button at the top while editing the form.
Need help connecting to Brown's secure wireless network? Drop in for wireless help at the CIT building (115 Waterman Street):
- Wednesday 9/4, 8:30 am - 5pm, CIT 210
- Thursday 9/5, 12 pm - 5pm, CIT 165
- Friday 9/6, 8:30 am - 5pm, CIT 210
Also note that the CIS Help Desk and Computing Accounts and Passwords office has returned to the CIT building as part of our initiative to build an IT Service Center, a single location to provide in-person IT services offered by CIS.
The IT Service Center, which is normally open only during Brown business hours, is extending its hours for Back to School weekend:
- Saturday 8/31 - 10am to 4pm
- Sunday 9/1 - 10am to 4pm