Archives For October 2013

National Cyber Security Awareness Month is just about through. As our last blog for the month, we would like to share a few best practices when securing your computer before you go online. There are some good practices we’ve covered on securing your data and recognizing social engineering attacks. Some common and often successful attacks involve not directly infecting your machine, but going after web servers. This way, they can infect any and all unprotected computers that visit the compromised site – one attack, infecting many computers.

How does it work? Well there are two vital requirements for this to work. The first is a vulnerable web server that may use old software, is not kept up-to-date, or is just poorly managed. The second requirement is a victim computer with unpatched web browsers and plug-ins visiting those sites. The victim computer goes to a compromised site, runs an application (like flash or java) and the malicious code is executed. What happens to the victim computer is actually normal behavior. Sites use embedded applications to enable special features or media to run within a website. These applications are usually trusted by your browser, which is only a problem if the content that the application will run has malicious code that your computer cannot defend against.

So what can you do to better protect yourself?

  • First, make sure you update your browsers and 3rd party plug-ins and extensions. A good, free,  tool to use is the BrowserCheck from Qualys. You can run it from the site or install a plug-in for your browser – it runs and provides a quick listing of the status of various applications and plug-ins providing “Fix It” links to remediate the vulnerabilities found.

qualys-browsercheck

  • Second, if you are willing to add an extra click to your Internet browsing, change your browser settings to ask you before launching a plug-in. For example, if you set Chrome’s Plug-in setting to “Click to play,” and you go to youtube.com, it would display the gray box below. You click to enable the Adobe Flash plug-in to run and it runs.

click-to-play

  • Third, use an anti-malware program and keep it up to date. Most machines that are compromised by malware are not kept up-to-date with their anti-malware (or anti-virus) programs that could have easily caught the malicious code. There are those newer bits of malware that are considered “zero-day” viruses (which means there is no patch for them), but these are not as prevalent as your everyday viruses and no excuse to not keep yourself as protected as possible.

Sophos is the standard anti-malware program utilized at WIT. Most Institute-owned Windows-based machines should already have it installed and licenses are available for faculty and staff who have Apple OS X-based Institute-owned computers. Send an email to infosecurity@wit.edu in interested in an enterprise version of the program.) Check out our “Tools” page for a link to a free version for your personal devices.

  • Fourth and last, make sure you pay attention to what you click. A good way of preventing these attacks is to avoid these compromised sites to begin with. Be wary of phishing emails or tweets that ask you to follow a link. (Check out our page on Phishing.) Definitely be suspicious of email attachments, especially .exe files. 99% of emails with an .exe file are emails with malware attached.

We understand that it isn’t always easy to follow these tips as some services we use require the older versions of a browser or plug-in to work. Well, the advice for those that run into this is to use two different browsers. Use your favorite browser for everyday use and make sure it is as secure as possible by following these tips. Then utilize a second browser for those specific sites that require older versions.

UPDATE: Instructions for enabling “Click-to-Play” function on popular web browsers available from http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/.

The theme for this year’s National Cyber Security Awareness Month is “Our Shared Responsibility,” which aims to inform everyone of their role in making sure we are all using the Internet in a safer and more secure manner. One area that security professionals tend to focus on is how we authenticate to all the services and accounts we utilize through the Internet. To authenticate to these services, we typically use two components, a username and password. Whether it is a site that simply offers more information to those that subscribe or banking sites, we need to follow best practices when creating and maintaining these passwords. The following is a list of the top suggested best practices.

 

  1. Use complex passwords. It is key to make passwords hard to guess and hard to crack. To make sure that your password is strong and hard to break, make sure they are:
  • At least 8 characters long
  • Does not match any of your previous 6 passwords
  • Does not contain your username, first, or last name
  • Contain a character from 3 of the following 4 groups
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Numerals (0 through 9)
    • Non-alphabetic characters ($ % ^ &)
  1. Never give anyone your password. Remember, DTS will never ask you for your password nor would most service providers that usually do so as part of their policy and practice.
  2. Use a different password for every service or site you use one. The main reason to do this is to minimize the potential impact if one of your accounts is compromised. For example, if you use the same password for Amazon, Outlook, and Twitter, an attacker can compromise all three by only compromising one. If you are compromised on one site, you just need to address the concerns of that site.
  3. Store your passwords securely. So you’re using different, complex passwords for each site. Now you need to manage them and writing them down is not a good practice as a simple search on your computer for an unencrypted file or a search on your desk for passwords written on Post-It notes can compromise all accounts. You can use an Excel spreadsheet that is password protected, which will encrypt the file, but it is not convenient. A simple and convenient approach is best to make sure you stick with these best practices. A few that always are on the top of the lists are LastPass, 1Password, and KeePass. Some are free, others are not. The price usually determines ease and flexibility more than security. Just make sure whichever you decide to use is from a reputable company or organization and works across all devices you use to access your accounts over the internet.

If you have any questions or comments about what was covered today or in any of the previous posts, please contact us at infosecurity@wit.edu.

National Cyber Security Awareness Month is in full swing and this week’s topic is about protecting data. Information security is all about protecting the privacy and availability of data. One of the main causes behind a compromise of data privacy is accidental disclosure. Members of Technology Services are continually working to improve the systems and tools used to protect the Institute’s data privacy and availability, but there are limitations to what can be done centrally. Review the following tips you can use to ensure that we all are working together to secure our sensitive data and protect the Institute against accidental disclosures.

TIP 1: KNOW WHAT DATA YOU HAVE. Before you can protect data, you need to know what you have that needs protecting. The Institute utilizes a tool called Identity Finder. This is a good tool that searches through all the files on your computer to identify potentially sensitive information based on the criteria you provide. For example, if you select it to search for social security numbers, it will search for all potential ways that it can be expressed (e.g., with or without dashes) and return the results to you. What is especially useful about this tool is that it can perform tasks on the files, such as shred (deletes the file in a secure manner) or quarantine (relocates files to a predetermined location for easier management), when they match the criteria you have set. For more information on Identity Finder and how to use it, please visit our Identity Finder resource page. For those that do not have it installed on their machines, please go to our Tool & Resources page for information on obtaining a free version.

TIP 2: DELETE WHAT YOU DON’T NEED. Once you determine what sensitive data you store locally, consider whether or not you really need to have it. If it is data that your department uses, then store it on your department’s shared drive. Of course set the permissions on the folder(s) to ensure only those that need the data can access the folder. Another route would be to utilize your P-drive. This stores the files on our trusted datacenter and is routinely backed up. For more information on these options, visit our page on connecting to network resources.

TIP 3: PROTECT WHAT YOU KEEP. Data protection can be accomplished by following computer security best practices for data protection. The basic three are:

  • Encrypt data that you plan to transport, including via email or on a mobile device such as an iPad;
  • Use strong passwords on all devices and ensure that they automatically lock after a short idling period;
  • Physically lock down your mobile devices, on and off campus.

This list is in no way complete, but it is a strong start. Collectively, they will help you keep the data you chose to store on your machine safe. For more information on these best practices and tools available to follow them, please contact infosecurity@wit.edu or visit our Tools & Resources page on the web.

National Cyber Security Awareness Month has produced quite a bit of useful information. One topic that continues to dominate the security headlines is social engineering attacks. Last week we went through a spear phishing email. This week, we’ll look at how some social engineers get the information they use to go after you, social networking sites.

Social networking sites have changed the way we communicate and keep track of one-another. There have been great advantages to these innovative services, from staying connected with distant friends and relatives to helping us promote and find new jobs. As with any great advancement in technology, folks have found ways to exploit them to harm others. Social networking sites have been used to gather information to improve social engineering attacks, spread malware, and establish new forms of old malicious activities, such as with cyber bullying. Below are some quick tips and resources to better protect yourself and your social networking profiles from malicious attacks.

  1. Use different passwords for each site or service you use. This way, if one site’s security or password is compromised, the threat is contained to just the site or service affected.
  2. Know what the site or service does with your information. Read the privacy statements for each service you use. The best way to know what these sites can and may do with your information is to read the privacy statements, which typically provide instructions for what settings to change to opt-out or opt-in to a privacy feature.
  3. Share responsibly. Remember, what you put out into the web, stays on the web. If you have information or a photo that you wouldn’t want broadcasted out to the general web, don’t put it on your site or service. Even when you have all the privacy settings turned on and you chose to share only to your friends, content can still make its way out of those boundaries you’ve created.
  4. Think before you click. Social networking sites are a treasure trove for social engineers. An increasing number of phishing attacks are using information obtained from your social networking site profiles, and those of your friends, to craft very specific and intricate emails used to trick you into a nefarious activity. Be cautious and think before you click on any links within emails.
  5. Stay informed. Follow us on Twitter! We follow some lots of useful resources that will keep you up to date on all sorts of cyber security topics.

A couple weeks ago, some of our Wentworth community members received what is called a phishing email. More specifically, it would be considered a spear phishing email, as the email appeared to be coming from a legitimate group on campus, our own Help Desk, addressed to our community.

Although this email was one of the more sophisticated examples we’ve seen, it still contained a few essential items that should raise your suspicion. So what did the message look like? Well, it looked similar to most service update emails.

message

Unlike most phishing emails, it was free of spelling errors and grammatically correct, or at least good enough. The message itself was close to what we would send from DTS and the links appeared correct. They appeared correct, but a closer look revealed some hidden truths.

The “From:” field contained an address that looked right, except if you look closer, you can see that there is an underscore after “helpdesk.”

helpdesk_

 

Another, more hidden item was the webpage that the “Access E-Mail” link actual links to. (TIP: hover your mouse over a link to see where it will actually take you!)

fake_link

The latter half of the link, “https.employee.wit.edu.htm” is actual a page within the website hosted at mail-wit [dot] ga522 [dot] net, rather than the actual website in the visible link on the email.

If you had clicked on the link, it took you to a page that was an exact replica of our webmail log-in page. Except, instead of logging you into our Exchange e-mail service, it just captured your credentials and sent them to the attacker.

 

When we find or are alerted of these messages, we do our best to inform the affected users and block the site, which is what we did. (TIP: To report phishing emails, please email them to abuse@wit.edu.)

 

So how can you catch these in the future?

1.  Familiarize yourself with what official emails look like.

This first example is a Wentworth Announcement that departments send out to communicate announcements, events, and general information the targeted audience should know. Below is an example.

example1

The “From” is going to be the department sending the message and the “To” will always be “Wentworth Announcements.” In addition, we brand all messages from the departments sending out the announcement.

There are times that DTS will send messages from within a system to inform individuals about items that require their attention. Below is an example password expiration notice.

example2

Notice that “DTS Help Desk” is indicated as the sender in the “From” field, which properly resolves to the actual Help Desk email address of “helpdesk@wit.edu.” In addition, for these individually targeted emails, DTS will include your Wentworth ID number (redacted here for security reasons). Make sure you verify that before going any further with these very important emails. Again, the message is branded as a “Division of Technology Services” email.

2.  Read more about phishing on our Information Security webpage at http://wit.edu/dts/security/training-awareness/top-topics/phishing.html

This page has more examples and resources to better equip yourself with the knowledge to make sure you don’t get caught the next time someone goes phishing!