Archives For InfoSec Awareness

Data Privacy Day 2016!

John Knights —  January 20, 2016

Data Privacy Day (DPD) is observed on January 28th. Data Privacy Day is focused on, “respecting privacy, safeguarding data and enabling trust.” This international effort is held on January 28th and the goal is to “create awareness about the importance of privacy and protecting personal information.”

Want to get involved with Data Privacy Day, check out how at StaySafeOnline.org at http://www.staysafeonline.org/data-privacy-day/get-involved/.

Also, join in on the the two Twitter chats hosted by @STOPTHINKCONNECT, taking place this month. The first today at 3pm, use #ChatSTC to join! More information available at https://stopthinkconnect.org/campaigns/twitter-chat-series.

There are various ways to stay connected with us:

banner 728x90_2016_R1DPD-Championbanner 468x60_2016_R1

You may have heard of the recent IRS data breach. Approximately 200,000 accounts were targeted and half were compromised, according to the New York Times. The IRS is expected to send out notifications to those affected. We would like to caution all to be vigilant for any suspicious correspondence. It is times like these that provide malicious actors with an opportunity to also send out phishing emails and other nefarious correspondence in an attempt to trick individuals into providing sensitive information and/or funds.

How you can best protect yourself.

The IRS should never ask you to remit payment or disclose sensitive information via email. Phishing (emails) are not the only way these malicious actors can attempt to scam you. They may call you and attempt to socially engineer you into exposing valuable information or make a payment for services related to the breach. Be wary of any attempts to get you to pay for identity theft prevention services as these are provided, free of charge, to any affected individual by law.

The IRS has a few sites devoted to these topics. Make sure to take a look at these to best arm yourself against these nefarious acts.

If you feel that you may be a victim or would like to report suspicious correspondence, the FBI requests that a complaint be filed through the IC3 (Internet Crime Complaint Center) at http://www.ic3.gov.

 

UPDATE: The IRS has posted a comment on their site at http://www.irs.gov/uac/Newsroom/IRS-Statement-on-the-Get-Transcript-Application.

 

Technology Services – Information Security

Lenovo Vulnerability Update

John Knights —  February 20, 2015

Lenovo Vulnerability Update

Technology Services has recently received reports of a vulnerability found in the Superfish software pre-installed on Lenovo computers. We have verified that the Lenovo computers we issue to our community do not contain this vulnerability, as the computers Wentworth issues have a customized installation that does not include the Superfish software.

If you have recently purchased a personal Lenovo computer or want to learn more about this vulnerability, please visit the https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing.

-Technology Services Information Security Office

Data Privacy Day (DPD) is observed on January 28th. Data Privacy Day is focused on, well data privacy of course. Officially recognized in the United States and Canada since 2008 as Data Privacy Day, today commemorates the first international treaty dealing with data privacy and protection. As we were last year, we are proud to join the National Cyber Security Alliance as a Data Privacy Day Champion and will be participating in the various discussions taking place over the new few weeks.

Want to get involved with Data Privacy Day, check out how at StaySafeOnline.org at http://www.staysafeonline.org/data-privacy-day/get-involved/.

Also, join in on the weekly Twitter chat series (@DataPrivacyDay), each Wednesday at 3pm by following #ChatDPD. More information available at http://www.staysafeonline.org/data-privacy-day/events/.

In addition to Data Privacy Day, EDUCAUSE will be observing Data Privacy Month from January 28th through February 28th. Join us and be a Data Privacy Champion!

There are various ways to stay connected with us:

DPD-Champion

 

Securing Your New Devices

John Knights —  January 7, 2015

As students, faculty, and staff members come back from our winter break to begin the new semester, we want to make sure we are sharing some useful security tips you should follow for those new devices you may have been gifted or purchased over the holidays. The following list is an excerpt from a Newsletter compiled by the Center for Internet Security and the Multi-State Information Sharing and Analysis Center. We recommend you take a look and consider these tips to ensure you are following security best practices for your new and older internet-enabled devices (computers, smartphones, tablets, game consoles, smart tvs, etc.).

  • Configure your device with security in mind. The “out-of-the-box” configurations of many devices and syste components are default settings often geared more toward ease-of-use and extra features rather than securing your device to protect your information. Enable security settings, paying particular attention to those that control information sharing.
  • Turn on your firewall. Firewalls provide an essential function of protecting your computer or device from potentially malicious actors. Without a firewall, you might be exposing your personal information to any computer on the Internet.
  • Enable encryption. Encryption makes it hard for attackers who have gained access to your device to obtain access to your information. It’s a powerful tool that you should consider implementing.
  • Lock the device. Locking your device with a strong PIN/password makes unauthorized access to your information more difficult. Additionally, make sure that your device automatically locks after five minutes of inactivity. This way, if you misplace your device, you minimize the opportunity for someone to access your personal information.
  • Regularly apply updates. Manufacturers and application developers update their code to fix weaknesses and push out the updates and patches. Enable settings to automatically apply these patches to ensure that you’re fixing the identified weaknesses in the applications, especially your operating system, web browser and associated third party apps.
  • Install antivirus software. Install antivirus software if it is available for your device to protect from known viruses. Additionally, enable automatic updating of the antivirus software to incorporate the most recently identified threats.
  • Be careful downloading apps. When downloading a new app to your device, you are potentially providing that app with a lot of information about you, some of which you may not want to share. Be proactive and make sure that you read the privacy statement, review permissions, check the app reviews and look online to see if any security company has identified the app as malicious. A good way to prevent accidental downloading of malware is to use a trusted store instead of third party stores. Google Play Store and Apple’s App Store proactively remove known malicious apps to protect users.
  • Disable unwanted services/calling. Capabilities such as Bluetooth, network connections and Near Field Communications provide ease and convenience in using your smartphone. They can also provide an easy way for a nearby, unauthorized user to gain access to your data. Turn these features off when they are not needed.
  • Set up a non-privileged account for general web use. Privileged (such as Administrator or Root) accounts allow users to make changes and access processes and functions that are not needed on a daily basis. A compromised administrative account provides attackers with the authority to access anything on your computer or possibly even your network. Setting up a non-privileged account for use in browsing websites and checking emails provides one more layer of defense.

As many gather with family and friends to celebrate the holidays, there are cyber criminals that are taking every opportunity to take advantage of you. Below are a few tips we’d like to share with you to better protect yourself this holiday season.

  • Suspicious (Phishing) Email Attacks – Be suspicious of any unsolicited email, especially those with attachments and that ask for sensitive information. If you are unsure, visit the company or organization’s website directly and use the contact information posted there to contact someone that can assist you. Do not trust the contact information within the potential phishing email itself. Examples include: E-cards, Travel Itineraries, Coupons or Advertisements, Delivery Receipts or Error Notices.
  • Unsolicited Texts and Social Media Posts Links – Avoid clicking on links in text messages or social media posts, as it is hard to tell where they actually will lead you.
  • Protect Credit Card Information – Use a pre-paid credit card or gift card to limit the potential data compromise or amount that a thief can obtain if they steal your card data. This can also be useful for online transactions.

For additional information on these tips and to find out more about how to avoid being caught in a phishing attack, please use the resources below.

2014 NCSAM Recap

John Knights —  November 6, 2014

National Cyber Security Awareness Month (NCSAM) has come to a close. This year’s NCSAM was a success with over 100 “Champions” (including Wentworth) and 200 institutions participating. There were a lot of great topics covered throughout the month. The Twitter chats brought folks from all over private/public and higher ed to talk about subjects from online safety to recovering from cybercrime.

One of the regional events took place down in Rhode Island, hosted by the Community College of Rhode Island. Their “Security Awareness Day” event brought together folks from the cybersecurity field to share ideas and their top concerns. Topics ranged from technical concerns regarding the “Internet of Things” to more administrative topics regarding information risk management. Regardless of the topic, the message is clear, there is a lot to protect ourselves from and we need to make sure we are all doing what we can to follow cybersecurity best practices.

What are some of these best practices? Here are a few:

  1. Use two factor authentication whenever possible and/or available. Two-factor (also referred to as Two-Step authentication) means that to successfully authenticate into a service/site/application, you need something in addition to your traditional password. These can be anything from a fingerprint to a pin that is sent to you via text, the later being the most popular method for personal services, like Dropbox or Facebook. The good thing about 2-factor authentication is that if your password is ever compromised, the attackers would also need the other factor to successfully log into the service that your compromised password would access.
  2. Learn to recognize, avoid, and report phishing emails. Phishing emails are one of the least technically sophisticated methods to compromise accounts, yet one of the most effective. The attacker(s) will send out an email to an entire organization or segment of an organization and all it takes is one person with the right level of access to share their credentials and
  3. Use a different password for each site you sign in to. Phishing and other social engineering techniques work. What they often aim to grab are your credentials (usernames and passwords). Why? If they can get you to share your username and password, they can access your systems/accounts, and if you use the same credentials at work, they can potentially access sensitive databases and grab information on everyone at your workplace and/or customers. By using a different password for each site, you limit the scope of a potential compromise.
  4. Patch your applications, operating systems, and plug-ins. A lot of the malware our computers are compromised by can be due to just not staying current with updates and fixes that the vendors send out to address vulnerabilities in their applications. Malware can be introduced to your system through a variety of ways (email attachments, using a compromised USB drive, visiting websites with malicious content) and sometimes they can be installed without any user interaction. Staying current with your applications, mainly browsers and plugins, can greatly reduce your vulnerabilities that can be exploited.

Cybersecurity awareness doesn’t end because NCSAM is over. Stay connected with us by checking in on our Blog (which you’re reading now), by subscribing our Newsletter (subscribe here), and by following us on Twitter (@InfoSec_WIT). If you have any ideas to help make any of these resources better and/or have topics you would like us to cover, please email us at infosecurity@wit.edu.

 

Internet of Things jpeg

By Wilgengebroed on Flickr [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons

Last week, as part of NCSAM, there was a Twitter Chat on the widely-used term and concept of the “Internet of Things.”

So what does the “internet of things” really mean? There are a lot of different perspectives one could answer this questions from. The term or concept came up, it seems at least, as a way to label the proliferation of devices that were being developed and introduced into the market that connect, in one way or another, to the internet. More succinctly, it can be used to refer to all our interconnected devices. These devices range from refrigerators that can see when you are low on milk and send you an email, to lightbulbs that are connected to your smartphone through an app to help you conserve energy.

So why would this be something to talk about as part of a cybersecurity awareness discussion? Simply to increase awareness. As covered in the chat, “[a]ccording to Cisco, there will be 50 billion Internet-connected devices by 2020.” If this prediction comes true, that would be 3 times the devices today. The more devices that connect to the Internet, the more devices that need to be kept up-to-date and protected against the threats we face on the web.

Here are a few things to consider to better secure all your “Internet of Things” devices:

  1. Understand what your device is capturing and what it shares. Many devices collect information and then upload it to a service that your associated app then connects with. Read and make sure you are looking out for what information is captured, what if any is shared with a third party, and how securely is the information transferred/stored between the device(s) and the service provider.
  2. Keep your device software up to date. Like all your “smart” devices, make sure that the application it runs on is kept up to date with patches, fixes, updates, and upgrades from the manufacturer or trusted application provider. The more devices out there, the more vulnerabilities that will eventually be found, so keep them current.
  3. Use separate networks at home. If you have multiple devices at home that are interconnected through your wireless router or access points, consider running a separate, dedicated network for those devices. This way, a compromised lightbulb or treadmill will not propagate malware or otherwise compromise devices on your other network where you would connect your laptop, smartphone, or tablet. Reasoning is that the devices you may store sensitive data on, smartphone or laptop. These “smart” devices are made with the main focuses being interconnectivity and ease of use, which means there may be some security tradeoffs.

Feel free to comment with any of your suggestions.

Recently, there’s been some news coverage regarding a vulnerability found on USB devices. The vulnerability involves the small computer chip on USB devices that allows the attached device, usually a computer, to detect the type of USB device that was attached and then connect it for use. This is done rather quietly and in the background on your computer. The small embedded computer ship onboard these USB devices has an operating system (a small version that has a set of information and instructions to facilitate the detection and connection) that is referred to as its firmware. The vulnerability involves this firmware, more specifically that this firmware can be changed or updated on some USB devices.

What does this mean for you? Well, this means that the firmware on USB devices can be altered with potentially malicious software that can harm your computer or expose sensitive information. This malware, using the fact that USB devices are allowed to automatically run the onboard firmware on your computer, can infect a vulnerable machine without needing any additional interaction from the user (plug-in and auto-execute malware).

There is a silver lining to this vulnerability. It takes a vulnerable machine to be infected by a compromised USB device. So make sure you keep up with operating system and application patches and updates for all your devices. (See yesterday’s blog for more on the importance of keeping your machine up-to-date with patches.)

In addition, we would like to share some good advice from Symantec and McAfee (security software providers) as covered in an article posted on Mashable.com on how you can avoid being a victim of a BadUSB attack.

  1. Only use USB devices from reputable retailers. Make sure you are purchasing new, sealed devices.
  2. Avoid using “pre-owned” or used USB devices.
  3. Do not leave USB devices, and computers, unlocked and unattended in public places. It is always a good practice, regardless of whether a usb storage is vulnerable to this attack or not, to  keep external storage in a secure location.

Learn more about BadUSB at the linked articles below.

“BadUSB” – what if you could never trust a USB device again?: https://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/

BadUSB – now with Do-It-Yourself instructions: https://nakedsecurity.sophos.com/2014/10/06/badusb-now-with-do-it-yourself-instructions/

How You Can Avoid a BadUSB Attack: http://mashable.com/2014/10/03/how-can-you-avoid-badusb/

It is week two of National Cyber Security Awareness Month (NCSAM). This week’s topic is “Secure Development of IT Products.”

So, what is involved in the secure development of IT products? Security is not something to be considered after a product has been engineered or software has been written. In fact, adding security after development can be costly. Despite all efforts to educate developers and product engineers, security is still not considered during the development phase. There have been studies conducted to determine the benefits of incorporating security in the development over bolting on security after development.  (See below for reference article.)

Screen Shot - BrowserCheck Results

Truth is, sometimes even with the best efforts to incorporate security in the development of hardware and software, there are occasional flaws found and exploited. Therefore, it is our advise that you make sure to keep software up-to-date with the latest patches, fixes, and versions, whenever possible. To make sure you are surfing safely, utilize tools to quickly analyze your computing device to make sure you’re running the latest browser and plug-ins. One such tool is BrowserCheck from Qualys. (Image to the right shows results from a quick scan.) This tool checks for most common plug-ins, office suites, OS versions, and browser versions to ensure you are running the latest software. Give it a try  – it’s free – at: https://browsercheck.qualys.com.

 

Note for Java users: Although we would prefer that everyone run the latest version of Java, some software does not work with the newest releases of Java. If you need to use Java-based software, try using a different, dedicated, browser for applications that require Java. This way, you can disable Java on the browser you use for browsing the web and another, dedicated, browser that has Java enabled for use with the application(s). Just make sure that the separate, Java-dedicated browser is only used for the application that requires it to limit your exposure to potentially malicious Java software.

Reference: “Estimating Benefits from Investing in Secure Software Development”, from https://buildsecurityin.us-cert.gov/articles/knowledge/business-case-models/estimating-benefits-from-investing-in-secure-software-development.