As the semester comes to a close , it is important to remember some of the tips we’ve shared over the semester.  Among them are the information security and privacy techniques vital for protecting your sensitive information online.  From choosing the correct Wi-Fi network to staying alert for phishing emails while off-campus, here are the things you need to keep in mind to have a fun and safe summer.

  • Avoid unsecured Wi-Fi and use secured Wi-Fi networks or connect with an Ethernet cable
    • Especially when checking financial or sensitive information on your laptop.
    • An unsecured Wi-Fi network could be a fake proxy or a real network simply compromised by a hacker, who is watching everyone’s activity.
    • Turn sharing settings off if you have to use an unsecured connection
  • Review the signs of a phishing email here
    • Not addressed to you; vague wording
    • Misspelled words or illogical statements
    • Requesting information randomly or urgently
    • Suspicious URL links
  • Stay safe on social networks
    • Restrict your privacy settings so only your friends can see your information
    • Be cautious if your information is requested in any way
    • Know where your information is going to and who can see it
  • Change your password now and stay one step ahead
    • Passwords have to be changed every 180 days
    • Make the fall transition easier by changing your password now
    • Check requirements and change password here
  • Use a virtual private network to work from home and stay secured
    • For Wentworth employees that require VPN access to the campus network when working remotely, please email our Information Security Office to find out more.

The next time you post something on Facebook that anyone can see, you will be greeted by a small blue blast from the past.  A tiny blue dinosaur (article and example from Sophos) now reminds users without privacy settings enabled to read and understand them better before they share information online.  The dino addresses the user by name and hopefully will encourage more people to be safer online.  This is a much needed step towards privacy and transparency for the social network giant.

The cartoon popup is just a test program but is already receiving great feedback and hopefully it will spur more companies to follow suit by making their user’s privacy a bigger priority.  The exact message you will receive is: “You haven’t changed who can see your posts lately, so we just wanted to make sure you’re sharing this post with the right audience. (Your current setting is Public, though you can change this whenever you post.)”. It then gives you different options to limit who can see your post.

 

The Heartbleed Bug

John Knights —  April 11, 2014 — Leave a comment

What is the Heartbleed Bug

The Heartbleed Bug is a vulnerability that was discovered on April 7th in the code that some servers and websites us for secure communication. The vulnerability directly affects any security connections that utilize OpenSSL. OpenSSL is a mechanism used by some web sites, web service, and servers to establish secure communications between you and the server.

Why does this matter?

If you have connected to a web site or service that has used the vulnerable version of OpenSSL over the last 2 years, there is the potential that the security of that connection was compromised. This is a wide-spread vulnerability as many sites and services use OpenSSL.

What is Wentworth doing?

After this vulnerability was made public, Wentworth Technology Services began running tests against all internet-facing web servers to test for the presence of this vulnerability. None have been discovered as the majority of the servers utilized by the Institute do not utilize OpenSSL. We are continuing our investigation to ensure that all internal servers as well as those used for our externally-hosted services are free of this vulnerability. For any vulnerable server that we find, we will address through applying updates and patches. We will continue to keep you posted through our Information Security website at http://www.wit.edu/dts/security, our security blog at blogs.wit.edu/security, and via Twitter @InfoSec_WIT.

What should you do?

First of all, don’t panic. This vulnerability and how to address it is well known throughout the security community and most sites that are potentially affected by this bug are in the process of fixing or have already done so. A complete list of affected sites is not known. What we encourage you to do is check with the sites that you have a password for. Most sites will have a link or prominent notice indicating what they are doing to address this bug.

Below are some practices we suggest you follow to keep yourself safe:

  • Wait to perform any online banking or transactions with online retailers until they indicate it is safe to do so. After a notice has been posted or emailed to you, reset your password with that site.
  • Reset passwords directly at the site. Be suspicious of any emails you receive requesting you to click on a link that takes you to a password reset page. Although many of them will be legitimate, there is the possibility that it could be a phishing email. Instead of clicking the link, copy and paste the link on the address bar on your browser or go directly to the site and look for their password reset page. (For Wentworth, we encourage users to always go directly to the password reset page that can be accessed through the Information Security site’s home page at the link above.)
  • DO NOT reply to any emails asking for sensitive information, regardless of how legitimate it looks. No reputable site or company should ever ask you to email any sensitive information via email (such as ssn, credit card numbers, or passwords).
  • If you suspect you are receiving any illegitimate emails, please forward them to SPAM@wit.edu.

For any questions, please contact the Technology Service Help Desk at 617-989-4984 or via email at HelpDesk@wit.edu.

For more information on the Heartbleed bug, visit heartbleed.com, posted by the researchers that discovered the vulnerability.

 

It is the Information Security Office’s goal to keep the Institute’s data and information systems as secure and safe as possible when online. We want students, staff, faculty, and Wentworth guests to feel comfortable connecting to our networks. One way we are working to improve our network’s security is through the implementation of Network Access Control (NAC) devices to ensure only students, staff, faculty, and Wentworth guests are utilizing our network resources. This will optimize our network for the community and maintain a dynamic inventory of all devices connected at all times. The aim is to improve our visibility and monitoring capabilities to improve our network security initiatives, as well as satisfying State and Federal regulations requirements for us to do so.

The implementation should be rather transparent to individuals that connect to LeopardSecure, as the only change is the addition of the appliances which work in the background. The only anticipated and expected noticeable aspect of this implementation will involve the individuals connecting to LeopardGuest.

For individuals connecting to the LeopardGuest wireless network, which is made available to guests visiting the Wentworth campus, there will now be a Guest Registration Page. What that will look like and how it will work will be posted on the NAC project page.

The Guest Registration page will only ask for an individual’s name, email, and phone number. Once the registration is complete, all a user will be required to do is enter the numbers provided through a text message (SMS message) to complete the registration and validate their device for use on the network.

If you have any questions about this project, how we plan to roll it out, or just about NACs in general, please reach out to us via email at infosecurity@wit.edu.

Tax Season Scams

John Knights —  March 21, 2014 — Leave a comment

Tax season can be a stressful time of year, especially when inboxes are inundated with phishing emails trying to obtain your tax refund. Each year these scams trick thousands of people who could have easily avoided financial misfortune with more preparation. When giving out personal information online always make sure you know who will be receiving it. When it comes to taxes, remember that the IRS will never contact you via email to request personal or financial information. The safest way to collect your tax return is to file electronically with the IRS FreeFile.

The main types of tax scams are:

  • Fake information about tax refunds you missed. Example
  • Warnings about unreported or under-reported income. Example
  • Offers to assist in filing for your refunds. Example
  • Dangerous links to fake IRS filing sites. Example

Often, tax phishing emails will have similar signs as other phishing emails, such as spelling errors and vague language. If an email is not addressed to you specifically then it is probably a mass message and from someone you want to avoid. If you are suspicious of an email and think it is a tax scam, don’t reply and don’t click any links inside the email. Simply forward the email to phishing@irs.gov and help keep the community safer. If you do click a link and are brought to a suspicious website, do not give out any information. If you are ever called and information is requested for tax purposes ask for a call back number and the person’s employee badge number so you can check with the IRS before giving out information. And finally, if you ever become a victim of an IRS related phishing scheme, report it here to the Federal Trade Commission so their investigators can help.

Keep your guard up and be ready for phishing attempts. For more information, visit our information page on phishing attacks to better equip yourself against phishing and social engineering scams.

Phishing In Focus

givend —  March 14, 2014 — Leave a comment

In the past decade, word of phishing has spread to the masses and many people have learned what to avoid and look out for.   In addition, software has improved and there are now online defenses against phishing.  Mass messages that once tricked a few percent of unsuspecting email users are now mostly caught in elaborate spam filters, never to be opened.  And the ones that do make it through are usually far too vague or generally addressed for the average user to be fooled by it.  Unfortunately, the same campaigns used to educate the masses have improved criminals techniques of stealing people’s information.  Phishing has evolved from a wide lazy net to more concentrated and tailored efforts against a specific group.  This method is called spear phishing and is usually seen as a personalized attack against a known target or an attempt at impersonating a trusted company to fool any of their clients.

In the past few weeks there has been a new spear phishing attack sent out to Netflix subscribers and placed in fake ads.  It then sends them to a fake login page that tells them their account has been suspended due to “unusual activity”.  It then provides a phone number for a “customer representative” that tries to convince you to download “Netflix support software” that is really a remote login program.  Once fooled, Netflix users’ information on their computer could easily be stolen and their contact lists could be sent the same phishing attack.  This technique of posing as trusted companies has a higher success rate for scammers than traditional blanket phishing attacks, and can hurt companies’ reputations.  This type of attack is exactly what we want to educate the community about and put an end to.  If you are contacted and information is requested by an unknown or untrustworthy source, send information to infosecurity@wit.edu for assistance.

Phishing isn’t going to get any easier to prevent in the near future; spam filters may block a majority of it but with the sheer amount of attempts, people are bound to encounter it eventually.  Be prepared and never trust a message just because it claims to be a company.  Remember to always check the URL address of the website you’re on and try to use a HTTPS secure connection whenever possible.  If you want the most secure connection possible on each site, download HTTPS Everywhere here.  Also, as a general rule never give out your personal information over the phone to someone you don’t know and never download something that doesn’t come from a good source.  A quick search of the term “Netflix support software” would have told you about the scam.  Always think before you click, especially during tax season, and we can all live in a safer online world.

Throughout Data Privacy Month we have covered a few important areas to help you better protect your privacy and information online. As the month comes to a close, remember to implement the tips you’ve learned and guard your information year round. Protecting yourself from phishing and other types of social engineering relies only on your vigilance. Always be on the lookout for suspicious communication requesting information, especially when there are spelling errors, mysterious links, or when something just doesn’t look or sound right to you. Ensure that trusted websites are the official versions and not just impersonations before you submit personal information. If you are suspicious of a website, link, or any form of communication, you can report it to Information Security.  To better prepare you for phishing attacks check out our Phishing page and report any potential spam or phishing emails to SPAM@wit.edu.

If you still haven’t, check your privacy settings on social networks and ensure your personal data that you do not want made available to the public is hidden. You can prevent your pictures from being stolen and used for advertising without your permission and stop future employers from scrutinizing your profile during the hiring process. Secure your account and help prevent hacking by choosing a more complex password. Don’t be convinced by scams that seem too good to be true and remember that the best thing to do is not click if you aren’t confident about the link.  For more on staying safe on social networks check out the last Information Security blog.

If you are using a public Wi-Fi hotspots, make sure that your sharing settings are off to ensure that you are not broadcasting your computer to others on the same network. Remember, if you need to check your bank account on a mobile device, use a 3G or 4G connection whenever possible as it is more secure. If you are on a laptop, connect using a Virtual Private Network (VPN) service to create a secure connection, which will then secure your information. (For Wentworth employees that require VPN access to the campus network when working remotely, please email our Information Security Office to find out more.) Always be cautious when in a public space, even when connecting to “secured” or encrypted Wi-Fi hotspots as they may not employ the most up-to-date settings or security. At Wentworth, our LeopardSecure Wi-Fi network utilizes strong encryption, so you can be sure that your communications are secure.  To learn more about Public Wi-Fi read the Information Security blog about it.

If everyone does their part in protecting sensitive information and following safe practices when online, all benefit. Not only are you safeguarding your information when following these practices, you are also protecting your families, friends, and colleagues. For the latest news, advisories and alerts, follow Wentworth’s Information Security Office on Twitter at @InfoSec_WIT and on the web at www.wit.edu/dts/security.

The majority of Americans online have a social networking profile that they use frequently, but far too many of us keep our information open and unsecure. Often people will feel safer on social networking sites compared to email because of less spam or the presence of their friends. Out of the over 1 billion monthly active Facebook users, as many as 11%, or well over 100 million profiles, are fake accounts. Some pet owners create accounts for their pets, while others have innocent secondary accounts created by users who got their first profile hacked. However, there are disingenuous duplicate profiles, spamming profiles created by companies, or maybe worst yet, phishing accounts from hackers.

Duplicate accounts can be used by hackers to pose as a person or business to request personal information through misleading private messages, a form of phishing. The goal is to acquire enough publically available personal information that the criminals then try to use to request a temporary password or similar access to accounts of the targeted individual, and bypass the security measures. Think of the answers to “secret questions,” such as your pets names or your mother’s maiden name. Are these bits of personal information, often used for password reset applications, accessible through your social networking sites? Remember, it is not just protecting yourself from a person with malicious intent from viewing your site directly, but accessing the information from a compromised “friend” or “connection” account as well.

Checking your privacy settings on social networks is an easy step towards protecting yourself and keeping your data hidden. You can prevent your pictures from being stolen and used for advertising without your permission and stop future employers from using your profile against you during the hiring process. Always be careful with confusing or misspelled private messages, links leading away from the site you’re on, or pages that seem too good to be true. To learn more ways to spot a phishing email read our blog about it. The best thing to do is not click if you aren’t confident about the link. Send any suspicious links or messages to Information Security at abuse@wit.edu.

Finally, remember, what you put out on the internet stays on the internet, even if you delete it-so be cautious of what you share.

Phishing is a type of cyber attack that utilizes social engineering in an attempt to steal your identity by obtaining your personal information. By impersonating a person or company you trust, the scammer tries to receive your passwords, credit card numbers, account numbers, birthdate, or other information. Phishing can also be conducted via e-mail, websites, telephone, or even postal mail.  The point is to exploit you without you knowing and with your help. Knowing how to protect yourself by learning how to spot phishing attempts can protect you against having you identity stolen.

Protecting yourself from this type of cyber-attack relies only on your vigilance online. Always be on the lookout for odd letters or emails requesting information, especially when there are spelling errors or mysterious links. Often a phishing email will pose as one company but the link inside goes to a completely different obscure website. Ensure that trusted websites are the official versions and not just impersonations before you submit personal information. If you are suspicious of a website, link, or any form of communication, you can report it to Information Security by forwarding the email to spam@wit.edu or abuse@wit.edu.

The Wentworth Information Security Office also provides more on how to better prepare you for phishing attacks at our phishing information page.

What better place to catch unsuspecting people who are bored and want to go online than the airport? Next time you’re flying be cautious of the wireless network you choose to join on you mobile device because it could easily be an ad hoc network (phone to phone connection) or another trap set by a hacker. Often times a hacker will intercept information over an unsecured Wi-Fi network and acquire people’s passwords to social media or worst yet, their credentials used to access their bank account online. Think of unprotected Wi-Fi like a mailing a letter in a transparent envelope and placing it in an unsecure mailbox, you have to leave the information in it and wait for the mail carrier (website) to pick it up. If a hacker gets to the information before the website (mail carrier), he could view the contents and even tamper with it. The safest thing is to never input sensitive information on an unprotected Wi-Fi network.

If you need to check your bank account on a mobile device, use a 3G or 4G connection whenever possible as it is more secure. If you are on a laptop, connect using a Virtual Private Network, or VPN service to create a secure connection, which will then secure your information. (For Wentworth employees that require VPN access to the campus network when working remotely, please email our Information Security Office to find out more.), Always be cautious when in a public space, even when connecting to “secured” or encrypted WiFi hotspots as they may not employ the most up-to-date settings. At Wentworth, our LeopardSecure WiFi network utilizes strong encryption, so you can be sure that your communications are secure.

A few other things to consider when using public WiFi hotspots. First, make sure that your sharing settings are off. This will ensure that you are not broadcasting your computer to others on the same network, limiting your potential exposure. Secondly, be careful even when you’re on a secure Wi-Fi network when it comes to your personal information. Chrome’s Incognito and Mozilla’s Private Browsing modes will cover your tracks on your computer but they leave the data you share vulnerable. Many sites allow for secure connections using an encrypted channel to their web site, through HTTPS. The problem is that even though it is available, many sites use the unencrypted HTTP as a default to ensure connectivity. There is a tool that you can use with your browser named HTTPS Everywhere. HTTPS Everywhere is a browser plugin that solves this problem and secures your data. Stay encrypted while browsing by default on every website that allows it. This is available for Mozilla Firefox, Google Chrome, and Opera.