Lenovo Vulnerability Update

Technology Services has recently received reports of a vulnerability found in the Superfish software pre-installed on Lenovo computers. We have verified that the Lenovo computers we issue to our community do not contain this vulnerability, as the computers Wentworth issues have a customized installation that does not include the Superfish software.

If you have recently purchased a personal Lenovo computer or want to learn more about this vulnerability, please visit the https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing.

-Technology Services Information Security Office

In case you missed any of the tips, discussions, or useful resources throughout the Data Privacy Day events this month, we have consolidated a few of the key links below:

Data Privacy Day may be over, but we are going to continue along with EDUCAUSE in celebrating Data Privacy Month! Follow us on Twitter (@InfoSec_WIT), on the web (WIT Information Security Site), and our blog (Information Security Blog).

 

DPD_banner-468x60

#ChatDPD Week 3 Recap

John Knights —  January 22, 2015 — Leave a comment

This week’s #ChatDPD Twitter Chat hosted by StaySafeOnline.org, covered the topic of “Things You Should Known about Your Privacy on the Go.” Most of us have a mobile device that is used to connect to the Internet. Whether it is a phone, tablet, or laptop, make sure you are checking your security settings to ensure your device is only connecting to networks you trust.

Not sure what all the fuss is about? Check out today’s short, yet informative blog from Stay Safe Online titled “The Year of WiFi Security: Protect Yourself in 2015 and Beyond” for a quick look at the risks and tips to mitigate them.

For more on the Twitter Chat itself, take a look at the transcript available at: http://staysafeonline.org/blog/chatdpd-twitter-chat-transcript-things-you-should-know-about-your-privacy-on-the-go.

If you interested in Data Privacy Day and would like to learn more, please go to our January 7th blog “Data Privacy Day (and Month) 2015!

In addition to this blog, you can follow us on Twitter, @InfoSec_WIT, and check us out online at http://www.wit.edu/dts/security.

DPD_banner-468x60

#ChatDPD Week 2 Recap

John Knights —  January 16, 2015 — Leave a comment

We celebrate Data Privacy Day this month on January 28th. One way people are getting involved is by joining the Twitter Chats taking place each Wednesday this month. The chats started out with the suggestion that we all add a new resolution for ourselves to do better with protecting our health information.

Last week’s chat subject involved privacy and business. More specifically, how privacy was good for business. Over the last 18 months, there has been what seems like an endless stream of data breaches reported from some of the largest retail companies. These breaches have had substantial financial impacts on these companies, but that’s not all.

The impact of these breaches goes a bit beyond just their short-term financial losses. Breaches have the potential to cause havoc to an organization’s reputation, affecting consumer confidence, which can lead to further loss of revenue. Good privacy practices are good for business, find out what some businesses were saying during last week’s Twitter Chat at: http://staysafeonline.org/blog/chatdpd-twitter-chat-transcript-privacy-is-good-for-your-business.

If you interested in Data Privacy Day and would like to learn more, please go to our January 7th blog “Data Privacy Day (and Month) 2015!

In addition to this blog, you can follow us on Twitter, @InfoSec_WIT, and check us out online at http://www.wit.edu/dts/security.

DPD_banner-468x60

#ChatDPD Week 1 Recap

John Knights —  January 9, 2015 — Leave a comment

As part of the Data Privacy Day campaign, the National Cyber Security Alliance (NCSA) is hosting a series of “Twitter Chats” this month. Each chat – hosted on Twitter at 3pm EST each Wednesday this January – will bring together various members of the cybersecurity community to discuss a privacy topic.

This week’s topic was “Make New Resolution: Stay On Track While Protecting Your Health Information.” Questions involved the personal devices used to track you health (small wrist bands or clip-on devices that can be used in conjunction with your smart phone to track various health-related items like your heart beats, sleeping patterns, steps you take each day, etc.). The questions asked involved where that data lives and who has access to it, and what the industry should consider as best practices to ensure that these devices and the applications they use maintain the level of privacy that their users’ demand.

In summary, everyone agreed that these devices tracked valuable personal health data and all were concerned with how these data are kept private. Many suggested that an important task that the user should be responsible for is reading those user agreements to understand what information is gathered, where it may be stored or how it may be used, and who may have access to it. In addition, make sure you do your research on the companies and their devices before you purchase one or configure one if you already have one. Folks are fairly vocal about privacy concerns these days and there is surely going to be some news regarding companies’ bad practices or comprisable devices.

For a full transcript of the Twitter Chat, please follow this link: http://www.staysafeonline.org/blog/chatdpd-twitter-chat-chat-transcript-make-a-new-resolution-stay-on-track-while-protecting-your-health-information.

If you interested in Data Privacy Day and would like to learn more, please go to our January 7th blog “Data Privacy Day (and Month) 2015!

In addition to this blog, you can follow us on Twitter, @InfoSec_WIT, and check us out online at http://www.wit.edu/dts/security.

DPD_banner-468x60

Data Privacy Day (DPD) is observed on January 28th. Data Privacy Day is focused on, well data privacy of course. Officially recognized in the United States and Canada since 2008 as Data Privacy Day, today commemorates the first international treaty dealing with data privacy and protection. As we were last year, we are proud to join the National Cyber Security Alliance as a Data Privacy Day Champion and will be participating in the various discussions taking place over the new few weeks.

Want to get involved with Data Privacy Day, check out how at StaySafeOnline.org at http://www.staysafeonline.org/data-privacy-day/get-involved/.

Also, join in on the weekly Twitter chat series (@DataPrivacyDay), each Wednesday at 3pm by following #ChatDPD. More information available at http://www.staysafeonline.org/data-privacy-day/events/.

In addition to Data Privacy Day, EDUCAUSE will be observing Data Privacy Month from January 28th through February 28th. Join us and be a Data Privacy Champion!

There are various ways to stay connected with us:

DPD-Champion

 

As students, faculty, and staff members come back from our winter break to begin the new semester, we want to make sure we are sharing some useful security tips you should follow for those new devices you may have been gifted or purchased over the holidays. The following list is an excerpt from a Newsletter compiled by the Center for Internet Security and the Multi-State Information Sharing and Analysis Center. We recommend you take a look and consider these tips to ensure you are following security best practices for your new and older internet-enabled devices (computers, smartphones, tablets, game consoles, smart tvs, etc.).

  • Configure your device with security in mind. The “out-of-the-box” configurations of many devices and syste components are default settings often geared more toward ease-of-use and extra features rather than securing your device to protect your information. Enable security settings, paying particular attention to those that control information sharing.
  • Turn on your firewall. Firewalls provide an essential function of protecting your computer or device from potentially malicious actors. Without a firewall, you might be exposing your personal information to any computer on the Internet.
  • Enable encryption. Encryption makes it hard for attackers who have gained access to your device to obtain access to your information. It’s a powerful tool that you should consider implementing.
  • Lock the device. Locking your device with a strong PIN/password makes unauthorized access to your information more difficult. Additionally, make sure that your device automatically locks after five minutes of inactivity. This way, if you misplace your device, you minimize the opportunity for someone to access your personal information.
  • Regularly apply updates. Manufacturers and application developers update their code to fix weaknesses and push out the updates and patches. Enable settings to automatically apply these patches to ensure that you’re fixing the identified weaknesses in the applications, especially your operating system, web browser and associated third party apps.
  • Install antivirus software. Install antivirus software if it is available for your device to protect from known viruses. Additionally, enable automatic updating of the antivirus software to incorporate the most recently identified threats.
  • Be careful downloading apps. When downloading a new app to your device, you are potentially providing that app with a lot of information about you, some of which you may not want to share. Be proactive and make sure that you read the privacy statement, review permissions, check the app reviews and look online to see if any security company has identified the app as malicious. A good way to prevent accidental downloading of malware is to use a trusted store instead of third party stores. Google Play Store and Apple’s App Store proactively remove known malicious apps to protect users.
  • Disable unwanted services/calling. Capabilities such as Bluetooth, network connections and Near Field Communications provide ease and convenience in using your smartphone. They can also provide an easy way for a nearby, unauthorized user to gain access to your data. Turn these features off when they are not needed.
  • Set up a non-privileged account for general web use. Privileged (such as Administrator or Root) accounts allow users to make changes and access processes and functions that are not needed on a daily basis. A compromised administrative account provides attackers with the authority to access anything on your computer or possibly even your network. Setting up a non-privileged account for use in browsing websites and checking emails provides one more layer of defense.

As many gather with family and friends to celebrate the holidays, there are cyber criminals that are taking every opportunity to take advantage of you. Below are a few tips we’d like to share with you to better protect yourself this holiday season.

  • Suspicious (Phishing) Email Attacks – Be suspicious of any unsolicited email, especially those with attachments and that ask for sensitive information. If you are unsure, visit the company or organization’s website directly and use the contact information posted there to contact someone that can assist you. Do not trust the contact information within the potential phishing email itself. Examples include: E-cards, Travel Itineraries, Coupons or Advertisements, Delivery Receipts or Error Notices.
  • Unsolicited Texts and Social Media Posts Links – Avoid clicking on links in text messages or social media posts, as it is hard to tell where they actually will lead you.
  • Protect Credit Card Information – Use a pre-paid credit card or gift card to limit the potential data compromise or amount that a thief can obtain if they steal your card data. This can also be useful for online transactions.

For additional information on these tips and to find out more about how to avoid being caught in a phishing attack, please use the resources below.

2014 NCSAM Recap

John Knights —  November 6, 2014 — Leave a comment

National Cyber Security Awareness Month (NCSAM) has come to a close. This year’s NCSAM was a success with over 100 “Champions” (including Wentworth) and 200 institutions participating. There were a lot of great topics covered throughout the month. The Twitter chats brought folks from all over private/public and higher ed to talk about subjects from online safety to recovering from cybercrime.

One of the regional events took place down in Rhode Island, hosted by the Community College of Rhode Island. Their “Security Awareness Day” event brought together folks from the cybersecurity field to share ideas and their top concerns. Topics ranged from technical concerns regarding the “Internet of Things” to more administrative topics regarding information risk management. Regardless of the topic, the message is clear, there is a lot to protect ourselves from and we need to make sure we are all doing what we can to follow cybersecurity best practices.

What are some of these best practices? Here are a few:

  1. Use two factor authentication whenever possible and/or available. Two-factor (also referred to as Two-Step authentication) means that to successfully authenticate into a service/site/application, you need something in addition to your traditional password. These can be anything from a fingerprint to a pin that is sent to you via text, the later being the most popular method for personal services, like Dropbox or Facebook. The good thing about 2-factor authentication is that if your password is ever compromised, the attackers would also need the other factor to successfully log into the service that your compromised password would access.
  2. Learn to recognize, avoid, and report phishing emails. Phishing emails are one of the least technically sophisticated methods to compromise accounts, yet one of the most effective. The attacker(s) will send out an email to an entire organization or segment of an organization and all it takes is one person with the right level of access to share their credentials and
  3. Use a different password for each site you sign in to. Phishing and other social engineering techniques work. What they often aim to grab are your credentials (usernames and passwords). Why? If they can get you to share your username and password, they can access your systems/accounts, and if you use the same credentials at work, they can potentially access sensitive databases and grab information on everyone at your workplace and/or customers. By using a different password for each site, you limit the scope of a potential compromise.
  4. Patch your applications, operating systems, and plug-ins. A lot of the malware our computers are compromised by can be due to just not staying current with updates and fixes that the vendors send out to address vulnerabilities in their applications. Malware can be introduced to your system through a variety of ways (email attachments, using a compromised USB drive, visiting websites with malicious content) and sometimes they can be installed without any user interaction. Staying current with your applications, mainly browsers and plugins, can greatly reduce your vulnerabilities that can be exploited.

Cybersecurity awareness doesn’t end because NCSAM is over. Stay connected with us by checking in on our Blog (which you’re reading now), by subscribing our Newsletter (subscribe here), and by following us on Twitter (@InfoSec_WIT). If you have any ideas to help make any of these resources better and/or have topics you would like us to cover, please email us at infosecurity@wit.edu.

NCSAM Week 4 Recap

John Knights —  October 24, 2014 — Leave a comment

Last week’s Twitter chat (#ChatSTC) was on “Cybersecurity for Small and Medium-Sized Business and Entrepreneurs.” During an hour-long chat on Twitter last Thursday, organizations and individuals join together to discuss the top concerns and shared tips on addressing them.

What was apparent is that many of the same threats and challenges that large corporations face each day are applicable to small and medium businesses. Actually, these are issues that all organizations face, even in higher ed. If you’re interested in learning more about what was discussed, stop by the StaySafeOnline.org Blog (link below) and read some of the highlights from yesterday’s discussion.

Students, as you go on your coops or prepare to graduate and begin your careers, it doesn’t matter what field or discipline your in. Cybersecurity affects all organizations and as part of the NCSAM campaign, we’d like to remind everyone that cybersecurity is “Our Shared Responsibility.”

Join next week’s Twitter chat on “Preventing and Recovering from Cybercrime.”

Link to StaySafeOnline.org Blog – “Cybersecurity and the Risk to the Small Business Owner

Link to National Cyber Security Awareness Month information page.