On October 23rd, LinkedIn began offering Intro, their "Insights in your inbox", which allowed users to see LinkenIn (LI) profiles in their iPhone mail app. This extension of Apple's built-in iOS mail app is accomplished by routing email through a LI proxy server, where LI information is added to messages, which are then returned to the iPhone. According to Martin Kleppmann, senior software engineer at LI, "With Intro you can see at a glance the picture of the person who's emailing you, learn more about their background, and connect with them on LinkedIn." Here's a graphic that demonstrates how this works.
Intro immediately drew criticism from the IT security world, which pointed out that, in essence, Intro intercepted emails in order to inject LinkedIn information, a kind of "man-in-the-middle attack." Bishop Fox, a global security system, responded with the article "LinkedIn 'Intro'duces Insecurity", which listed ten reasons they considered it "a bad thing." These included concerns over attorney-client privilege, that LI changed the content of emails and a device's security profile, that it stores email communications, and its use could be a "gross violation of your company's security policy." They concluded their article by saying that the use of Intro at Bishop Fox would be banned on company devices until they could further investigate, and recommended that others do likewise and not introduce it into their environments.
Martin Kleppman responded to this criticism on the 24th, pointing out that Intro was an "opt-in" feature, requiring users to install it before being able to use it, and that usernames, passwords, and email contents are not permanently stored anywhere inside LinkedIn data centers, but instead, on your iPhone. (See the update on LinkedIn Intro: Doing the Impossible on iOS for a full list of Kleppman's reasons).
Since this story continues to develop and evolve, ISG recommends that LinkedIn/iOS users wait until all the facts are in so that they can make an informed decision on whether or not to use Intro.
- About LinkedIn Intro
- LinkedIn Intro: Doing the Impossible on iOS by Martin Kleppmann, Senior Software Engineer at LinkedIn (10/23)
- Graphic of Intro IMAP Proxy Service and iOS mail client
- LinkedIn ‘Intro’duces Insecurity by;Bishop Fox (10/23)
- LinkedIn wants the keys to your email for its innovative new Intro feature – but can you trust it? by Jon Russell, Asia Editor for The Next Web (10/24)
- LinkedIn’s Intro Feature Is Very Cool And A Spectacularly Bad Idea by Matthew Panzarino, writer for TechCrunch (10/24)
- The Facts about LinkedIn Intro by Cory Scott, Senior Manager, Information Security at LinkedIn (10/26)
- LinkedIn attempts to iron out security concerns surrounding Intro for iOS (author unknown, 10/26)
- LinkedIn defends security of Intro service by Michael Lee, Journalist, ZDNet (10/28)
October is National Cyber Security Awareness Month, a time set aside to heighten awareness of online threats and how to protect yourself, your computer or device, personal information, identity, bank account and/or reputation.
Each October the Information Security Group ratchets up their efforts to bring their message of computing safety to the Brown community. As part of this year's theme of Don't Get Caught, Get Cautious, ISG has planned special Brown Bags, prepared online materials that includes weekly quizzes, and is once again holding a raffle, with prizes that include an iPad mini and Samsung Galaxy Tab 3.
Visit brown.edu/go/cybersecurity for full details on how to sign up for classes and enter the contest.
When you're sitting on top, you have a great view of others. The downside is, you're now easy to spot and make a better and more tempting target.
As Android's popularity has risen*, so has its attractiveness to hackers. This is akin to underdog Firefox becoming the favored alternative to Internet Explorer when the latter was under seige, and then the hackers turning their sights on the more visible Firefox.
So the bad news for users of Android is that it's now under attack. One way you could be affected is by downloading rogue apps from third-party websites, such as recounted in the August 13, 2013 story New Android malware is being distributed through mobile ad networks.
The good news is, if you read the article closely, you'll notice that the mobile ad networks it mentions are more common in areas where mobile devices can't access the official Google Play store or users have difficulties in purchasing applications in a legitimate manner. According to Antone Gonsalves in his September 27, 2013 article Become a hacker. Coding experience not needed., this is generally in places like "Asia, Eastern Europe and Russia (where) infection rates for Android smartphones are higher because people regularly download apps from sketchy sites. In the U.S., the vast majority of people use Google Play, so the chance of infection is minuscule."
So even though you Android users might breathe a little easier seeing this, note the importance of using Google Play as your marketplace for apps. Since a few bad ones slip through occasionally, it's also a good practice to read the apps reviews and download statistics before clicking that install button.
And for a nice rundown of Android antivirus software, see Darlene Storm's article Mobile malware madness: Favorite target? Android. Here's 3 free security apps. It paints a less rosy picture, but then it is from the point of view of AV vendors. Still some good advice at zero cost to you.
In summary, nothing is safe 100% of the time but you can take some precautions to protect yourself: download only legitimate apps, run an antivirus program, and use your common sense. It something appears a bit iffy, steer clear.
* According to a survey from the Pew Internet & American Life Project, in May 2013, Android lead iOS by 3 percentage points (28% of mobile phone owners' smartphones were Android, 25% running iOS). Read more about smartphone trends at US Smartphone OS Race Still Close, as Men, Younger Users Favor Android.
Do you like spam? Of course I’m talking about unsolicited bulk mail, and not the canned food. That could be a whole other message, which perhaps I’ll address in a future memo. I have a feeling that no one answered yes to my question. No one likes electronic spam, and yet we need to learn to live with it, as it will continue to direct itself to our in-boxes.
Did you know that most of the email around the world is actually spam? While there have been periods where the percentage was consistently over 90%, recent years have the numbers between 85-90%, thanks to the more rapid shutting down of botnets, which are responsible for most of the spam traffic. Brown is not immune to this phenomenon, as these same percentages are seen in messages coming to the Brown domain.
The good news is that a high percentage of them never reach your email box, and many of those that do are stilled identified as spam and sent to the spam folder. I’m sure we all agree that we would not want to sift through that many messages to find the real mail in our box. Compare yourself to Bill Gates, who receives approximately four million messages per year. Imagine going through all those messages each day to find the 1,000 legitimate ones if spam filters did not work!
Spam is not only a nuisance, but it can be malicious in nature, especially if it is also a phishing email. Brown has recently been the victim a several phishing attacks, through which some of our community have fallen victim. Not only does this place the victim’s personal information at risk, but it also propogates the phishing scam deeper throughout our community via the person’s contact list. The Information Security Group and the CIS Help Desk work quickly in indentifying the compromised account, and aid the victim in stopping the attack. This is all part of our mission here at Brown. Still, we wish to get to the point where no one in the Brown community falls for a phishing scam. You can learn tips to help you spot a phish by visiting the ISG Phishing Primer here.
As this is October, and once again Brown is participating in National Cyber Security Awareness Month, we will also be hosting a brown bag on 10/10/13 entitled “Don’t Get Caught…by a Phishing Phony”. Learn about this, and all of the activities of the month at www.brown.edu/go/cybersecurity.
As always, I welcome your comments and feedback. Please feel free to reach out to me directly at email@example.com, or the group at ISG@brown.edu. Let me know how we are doing, areas of concern you may have, or questions on protecting your identity or personal computing security. And remember, sec_rity is not complete without U!
As of October 3rd, the Information Security Group will be located on Brown's main campus in the 169 Angell building, accessed from the entrance on Angell, opposite the Brown Bookstore/Bank of America entrance. Offices are on the second floor in some of the space formerly occupied by the Help Desk (which is now situated in the new Service Center in CIT 101).
Besides performing information security consults on-site, ISG also has a hard drive crusher used for crushing no-longer needed drives containing data covered under the Brown Restricted Information Policy. If you have any that fit that description, or others that you simply desire to destroy, please contact us at ISG@brown.edu to arrange an appointment.
If you are new to Brown or missed ISG's earlier announcements, we recommend that you install and run Identity Finder, a useful addition to anyone's security toolkit. It allows you to scan your computer for any sensitive information that might be stored on it -- such as social security numbers or passwords -- and then take appropriate measures to either secure or remove it.
The enterprise version is available to all active faculty and staff from CIS's software download pages. In addition, students and home users can install a free version available on the Identity Finder website on their personal computers to perform basic search and remediation. More robust personal versions are also available.
ISG recommends that you install and periodically run Identity Finder to detect and secure sensitive data on your computer, which will help protect you from identity theft. More information is available in the Identity Finder FAQ.
Please note: If you already have Identity Finder installed but haven't used it since last summer, you will be asked to update to version 6.2, which is available for download from CIS' Software Distribution site (click OS and search for Identity Finder). Note you will need your current client before installing the new version.
Over 3,200 individuals have taken the Protecting Brown’s Information class to learn what constitutes “Brown Confidential Information”; where, when and how it’s at risk; and what you can do to mitigate that risk. Are you one of them? Or has it been awhile and you’d like a refresher? Materials are available online and include a video of the class and comprehension test. You can register for the online class on LearningPoint.
Would your department like a refresher course, perhaps during a staff meeting? ISG would be happy to come to you. Email us at ISG@brown.edu for more information or if you’re interested in arranging a special session of Protecting Brown Information, which can be tailored to your needs.
The following article appeared in the August 2013 issue of OUCH! magazine and was written by James Tarala. More details about this author and OUCH appear at the end of this article.
Who Are You?
The process of proving who you are (called authentication) is a key step to protecting your online information. You want to be sure only you have access to your private information, so you need a secure method to prove who you are, such as when you check email, purchase something online or access your bank accounts. You can prove who you are in three different ways: what you know, such as a password, what you have, such as your passport, and who you are, such as your fingerprint. Each one of these methods has its advantages and disadvantages. The most common authentication method is using what you know: passwords.
You most likely use passwords almost every day in your life. The purpose of a password is to prove you are who you say you are. This would be an example of something you know. The danger with passwords is that if someone else can guess or gain access to your password, they can then pretend to be you and access all of the information that is secured by it. This is why you are taught steps to protect your password, such as using strong passwords that are hard for attackers to guess. The problem with passwords is they are quickly becoming dated. With newer technologies it is becoming easier for cyber attackers to forcibly test and eventually guess passwords or harvest them with technologies such as keystroke loggers. A simpler yet more secure solution is needed for strong authentication. Fortunately, such an option is becoming more common -- something called two-step verification. To protect yourself, we highly recommend you use this option whenever possible.
Two-step verification (sometimes called two-factor authentication) is a more secure way to prove your identity. Instead of requiring just one step for authentication, such as passwords (which is something you know), it requires two steps. Your ATM card is an example. When you withdraw money from an ATM machine, you are actually using a form of two-step verification. To prove who you are when accessing your money, you need two things: the ATM card (something you have) and the PIN number (something you know). If you lose your ATM card your money is still safe; anyone who finds your card cannot withdraw your money as they do not know your PIN (unless you wrote your PIN on your card, which is a bad idea). The same is true if they only have your PIN and not the card. An attacker must have both to compromise your ATM account. This is what makes two-step verification so much more secure: you have two layers of security.
Using Two-Step Verification
One of the leaders in online two-step verification is Google. With a variety of free online services such as Gmail, Google needed to provide a stronger authentication solution for its millions of users. As such Google rolled out two-step verification for most of its online services. Not only is Google’s two-step verification a free service any Google user can sign-up for, but other online providers are using similar technology for their services, such as Dropbox, Facebook, LinkedIn and Twitter. By understanding how Google’s two-step verification works, you will understand how many other online two-step verification services work.
Google’s two-step verification works as follows. First, you will need your username and password, just as before. That is the first factor, something you know. However, Google then requires a second factor, something you have -- specifically, your smartphone. There are two different ways you can use your smartphone as part of the log in process. The first is to register your phone number with Google. When you attempt to authenticate with yourusername and password, Google will SMS a new, unique code to your smartphone. You then have to enter this number when you log in. The other option is to install Google authentication software on your smartphone. The software then generates a unique code for you. The advantage with this second approach is that you do not need to be connected to a service provider, as your phone generates your code for you.
Two-step verification is usually not enabled by default; it is something you will have to enable yourself. In addition, most mobile apps are not yet compatible with two-step verification. For most mobile apps you will need to use application-specific passwords, which you can generate once you enable two-step verification. Finally, you may have the option of creating recovery keys in case you lose your smartphone. We recommend you print those out and store them in a safe, locked location.
We highly recommend you use two-step verification whenever possible, especially for critical services such as email or file storage. Two-step verification goes much further to protect your information, as criminals have to work much harder to try and compromise your accounts.
Where you can use two-step verification:
Google Two-Step Verification: http://www.google.com/landing/2step/
Common Security Terms: http://www.securingthehuman.org/resources/security-terms
SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.phpTwo
James Tarala is a speaker, author and senior instructor with the SANS Institute. He is a principal consultant at Enclave Security and a contributor to the Critical Security Controls and AuditScripts.com. You can follow James on Twitter @isaudit or meet him in person at one of his upcoming courses.
OUCH! August 2013 issue: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201308_en.pdf
OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.
The latest issue of Secure IT! has been released, now located on the new Information Technology site. While this brings a slightly different look to the newsletter, it continues to offer timely tips to keep you safe online.
We invite you to peruse this issue, view back issues (to 2010) and send us ideas for future ones. Enjoy!
- CISO Memo: Spam, Spam, Spam, Spam :: A nuisance that can also be malicious.
- October means National Cyber Security Awareness Month :: And lots of chances to "Don't Get Caught, Get Cautious" and enter a contest to win an iPad mini or Samsung Galaxy Tab 3.
- Identity Finder Reminder :: Not running Identity Finder regularly? Find out how and why.
- Android Malware :: Being popular makes you a desirable target.
- ISG Moves to Main Campus :: Now conveniently located at the intersection of Angell & Thayer.
- Two-Step Verification :: When passwords aren't enough.
- Protecting Brown's Information :: Never taken the class? Like a refresher?
Here are ISG's Ten Travel Tips for your mobile device, especially for those traveling outside of the U.S. Please take a few moments to review them as an ounce of prevention now can save a pound of trouble later.
- Contact your cellular provider several weeks before you travel to discuss and activate the most cost-effective plan to fit your needs. For Brown devices, contact Telecommunications at 863-2007 or firstname.lastname@example.org. For non-Brown devices, users can contact their cellular provider directly.
- For phones, familiarize yourself with international roaming and data charges. We recommend turning off or setting a limit on cellular data usage for your smartphone to prevent incurring significant fees.
- Consider using Google+ Hangouts to bypass the phone. See the About Hangouts site for help on getting started.
- When traveling with a laptop, remove all PII from it or encrypt it. If possible, we recommend using a laptop specifically designated for travel with no personal information on it. Note: CIS has loaner laptops for faculty, staff and grad students who are working on projects when traveling abroad. The loaners can be signed out at the Computer Service & Repair window.
- Become aware of and comply with all export controls. For example, some countries ban or severely regulate the use of encryption, you should check country-specific information before traveling with an encrypted laptop. See the Symantec Endpoint Encryption FAQ on international traveling restrictions for details.
- Set a strong password or passcode for your device. Here are some ideas on how to create a strong and memorable password.
- Make sure all operating system and anti-malware software is current. If you haven't installed an anti-malware client for your phone, do so.
- Install device finder software, such as Computrace (for laptops) or Lookout (for tablets and phones).
- Use VPN to connect to Brown's network when away from it. CIS offers both a web and client versions. If you haven't used VPN before, test it before leaving.
- Make sure you have contact information for your local IT support professional and the Help Desk before you leave (email@example.com, 863-4357).