Archives For Uncategorized

Technology Services has enabled an email security feature in Microsoft Office 365 Outlook. This feature, referred to as SPF checking, will check to make sure that the sender of an email message is actually an authorized sender for the domain it originated from. For example, an email from joe@example.com will be checked to make sure that the email actually came from an authorized account at example.com.

This is a feature that is in wide use across many organizations and email providers, used to combat email sender spoofing (forging the “sender” of an email). This should reduce the amount of phishing and spam emails that make it to your Outlook inbox.

So what happens with these messages? The are considered and marked as “junk” by Microsoft, our email service provider, and the message will be routed to your “Junk” folder. This is only one of many checks that are made to ensure email is appropriately filtered, so it may end up as a “quarantined” email if it matches other filtering rules.

If a message is incorrectly placed in your junk folder by this SPF checking feature, please contact the Help Desk (helpdesk@wit.edu or 617-989-4500) for further assistance.

Data Privacy Day 2015 Recap

John Knights —  January 30, 2015

In case you missed any of the tips, discussions, or useful resources throughout the Data Privacy Day events this month, we have consolidated a few of the key links below:

Data Privacy Day may be over, but we are going to continue along with EDUCAUSE in celebrating Data Privacy Month! Follow us on Twitter (@InfoSec_WIT), on the web (WIT Information Security Site), and our blog (Information Security Blog).

 

DPD_banner-468x60

#ChatDPD Week 3 Recap

John Knights —  January 22, 2015

This week’s #ChatDPD Twitter Chat hosted by StaySafeOnline.org, covered the topic of “Things You Should Known about Your Privacy on the Go.” Most of us have a mobile device that is used to connect to the Internet. Whether it is a phone, tablet, or laptop, make sure you are checking your security settings to ensure your device is only connecting to networks you trust.

Not sure what all the fuss is about? Check out today’s short, yet informative blog from Stay Safe Online titled “The Year of WiFi Security: Protect Yourself in 2015 and Beyond” for a quick look at the risks and tips to mitigate them.

For more on the Twitter Chat itself, take a look at the transcript available at: http://staysafeonline.org/blog/chatdpd-twitter-chat-transcript-things-you-should-know-about-your-privacy-on-the-go.

If you interested in Data Privacy Day and would like to learn more, please go to our January 7th blog “Data Privacy Day (and Month) 2015!

In addition to this blog, you can follow us on Twitter, @InfoSec_WIT, and check us out online at http://www.wit.edu/dts/security.

DPD_banner-468x60

#ChatDPD Week 2 Recap

John Knights —  January 16, 2015

We celebrate Data Privacy Day this month on January 28th. One way people are getting involved is by joining the Twitter Chats taking place each Wednesday this month. The chats started out with the suggestion that we all add a new resolution for ourselves to do better with protecting our health information.

Last week’s chat subject involved privacy and business. More specifically, how privacy was good for business. Over the last 18 months, there has been what seems like an endless stream of data breaches reported from some of the largest retail companies. These breaches have had substantial financial impacts on these companies, but that’s not all.

The impact of these breaches goes a bit beyond just their short-term financial losses. Breaches have the potential to cause havoc to an organization’s reputation, affecting consumer confidence, which can lead to further loss of revenue. Good privacy practices are good for business, find out what some businesses were saying during last week’s Twitter Chat at: http://staysafeonline.org/blog/chatdpd-twitter-chat-transcript-privacy-is-good-for-your-business.

If you interested in Data Privacy Day and would like to learn more, please go to our January 7th blog “Data Privacy Day (and Month) 2015!

In addition to this blog, you can follow us on Twitter, @InfoSec_WIT, and check us out online at http://www.wit.edu/dts/security.

DPD_banner-468x60

#ChatDPD Week 1 Recap

John Knights —  January 9, 2015

As part of the Data Privacy Day campaign, the National Cyber Security Alliance (NCSA) is hosting a series of “Twitter Chats” this month. Each chat – hosted on Twitter at 3pm EST each Wednesday this January – will bring together various members of the cybersecurity community to discuss a privacy topic.

This week’s topic was “Make New Resolution: Stay On Track While Protecting Your Health Information.” Questions involved the personal devices used to track you health (small wrist bands or clip-on devices that can be used in conjunction with your smart phone to track various health-related items like your heart beats, sleeping patterns, steps you take each day, etc.). The questions asked involved where that data lives and who has access to it, and what the industry should consider as best practices to ensure that these devices and the applications they use maintain the level of privacy that their users’ demand.

In summary, everyone agreed that these devices tracked valuable personal health data and all were concerned with how these data are kept private. Many suggested that an important task that the user should be responsible for is reading those user agreements to understand what information is gathered, where it may be stored or how it may be used, and who may have access to it. In addition, make sure you do your research on the companies and their devices before you purchase one or configure one if you already have one. Folks are fairly vocal about privacy concerns these days and there is surely going to be some news regarding companies’ bad practices or comprisable devices.

For a full transcript of the Twitter Chat, please follow this link: http://www.staysafeonline.org/blog/chatdpd-twitter-chat-chat-transcript-make-a-new-resolution-stay-on-track-while-protecting-your-health-information.

If you interested in Data Privacy Day and would like to learn more, please go to our January 7th blog “Data Privacy Day (and Month) 2015!

In addition to this blog, you can follow us on Twitter, @InfoSec_WIT, and check us out online at http://www.wit.edu/dts/security.

DPD_banner-468x60

NCSAM Week 4 Recap

John Knights —  October 24, 2014

Last week’s Twitter chat (#ChatSTC) was on “Cybersecurity for Small and Medium-Sized Business and Entrepreneurs.” During an hour-long chat on Twitter last Thursday, organizations and individuals join together to discuss the top concerns and shared tips on addressing them.

What was apparent is that many of the same threats and challenges that large corporations face each day are applicable to small and medium businesses. Actually, these are issues that all organizations face, even in higher ed. If you’re interested in learning more about what was discussed, stop by the StaySafeOnline.org Blog (link below) and read some of the highlights from yesterday’s discussion.

Students, as you go on your coops or prepare to graduate and begin your careers, it doesn’t matter what field or discipline your in. Cybersecurity affects all organizations and as part of the NCSAM campaign, we’d like to remind everyone that cybersecurity is “Our Shared Responsibility.”

Join next week’s Twitter chat on “Preventing and Recovering from Cybercrime.”

Link to StaySafeOnline.org Blog – “Cybersecurity and the Risk to the Small Business Owner

Link to National Cyber Security Awareness Month information page.

#ClickSmart Twitter Chat

John Knights —  October 15, 2014

As part of National Cyber Security Awareness Month, there are Twitter chats taking place throughout the month of October on various topics. The topic of yesterday’s chat, was on the #ClickSmart awareness effort spearheaded by Intel.

#ClickSmart aims to promote best practices when faced with links, whether in an email, on a blog, or sent to you via text messaging. Understanding what these best practices are crucial to avoiding attacks against your system and will help you to protect your data. A great resource available from Intel is their  “Should I click this link?” flowchart. While you’re there, take the #ClickSmart Challenge and tweet your score.

For a transcript of yesterday’s chat, check out this blog on staysafeonline.org. To learn more about this month’s NCSAM Twitter Chat series, visit http://stopthinkconnect.org/get-involved/twitter-chats/. To join the next chat, use #ChatSTC on Twitter.

Anti-virus software has changed a lot over the past decade, moving from virus scans triggered by a user to comprehensive malware detection in real time.  While an often lengthy scan was once your only option to detect threats, protection is becoming more automated, now happening as soon as you encounter malware or other malicious programs.  The next step in protecting our computers is a breach detection system (or BDS) that can detect any breach in a network of computers and then contain or remediate all the damage within 48 hours.

Current anti-virus software uses signature-based detection to match a current list of threats to the findings of a search or a software that is currently affecting the computer.  Users must keep their anti-virus software updated consistently to combat the latest threats on the internet.  Another big problem right now with anti-virus software is how predictable it is.  The signature based system allows hackers to test their virus on a system with existing software available to the public before a large scale attack.  With a proper breach detection system, any attack will be discovered because detection is not just based on pre-determined signatures, but on reacting to signs of an attack through network traffic analysis and server data.  Ideally, a BDS will stop a threat coming from inside the network, from the cloud, or even on an employee’s mobile phone.  It will then remediate the damage by quarantine, session termination, and other restrictions.

Breach detection systems help keep entire networks secure and more connected.  The Wentworth Technology Services Information Security Office is always looking for better ways to protect the institute and it’s members, broadening our scope protection services will help us with this mission. We employ next generation firewalls to perform these more advanced techniques for malware detection. In addition, there are active and proposed projects for expanding our tools and techniques to improve the security and privacy of your institutional data, feel free to periodically check in on our projects page for more information and status checks on our projects.

The next time you post something on Facebook that anyone can see, you will be greeted by a small blue blast from the past.  A tiny blue dinosaur (article and example from Sophos) now reminds users without privacy settings enabled to read and understand them better before they share information online.  The dino addresses the user by name and hopefully will encourage more people to be safer online.  This is a much needed step towards privacy and transparency for the social network giant.

The cartoon popup is just a test program but is already receiving great feedback and hopefully it will spur more companies to follow suit by making their user’s privacy a bigger priority.  The exact message you will receive is: “You haven’t changed who can see your posts lately, so we just wanted to make sure you’re sharing this post with the right audience. (Your current setting is Public, though you can change this whenever you post.)”. It then gives you different options to limit who can see your post.

 

Phishing In Focus

givend —  March 14, 2014

In the past decade, word of phishing has spread to the masses and many people have learned what to avoid and look out for.   In addition, software has improved and there are now online defenses against phishing.  Mass messages that once tricked a few percent of unsuspecting email users are now mostly caught in elaborate spam filters, never to be opened.  And the ones that do make it through are usually far too vague or generally addressed for the average user to be fooled by it.  Unfortunately, the same campaigns used to educate the masses have improved criminals techniques of stealing people’s information.  Phishing has evolved from a wide lazy net to more concentrated and tailored efforts against a specific group.  This method is called spear phishing and is usually seen as a personalized attack against a known target or an attempt at impersonating a trusted company to fool any of their clients.

In the past few weeks there has been a new spear phishing attack sent out to Netflix subscribers and placed in fake ads.  It then sends them to a fake login page that tells them their account has been suspended due to “unusual activity”.  It then provides a phone number for a “customer representative” that tries to convince you to download “Netflix support software” that is really a remote login program.  Once fooled, Netflix users’ information on their computer could easily be stolen and their contact lists could be sent the same phishing attack.  This technique of posing as trusted companies has a higher success rate for scammers than traditional blanket phishing attacks, and can hurt companies’ reputations.  This type of attack is exactly what we want to educate the community about and put an end to.  If you are contacted and information is requested by an unknown or untrustworthy source, send information to infosecurity@wit.edu for assistance.

Phishing isn’t going to get any easier to prevent in the near future; spam filters may block a majority of it but with the sheer amount of attempts, people are bound to encounter it eventually.  Be prepared and never trust a message just because it claims to be a company.  Remember to always check the URL address of the website you’re on and try to use a HTTPS secure connection whenever possible.  If you want the most secure connection possible on each site, download HTTPS Everywhere here.  Also, as a general rule never give out your personal information over the phone to someone you don’t know and never download something that doesn’t come from a good source.  A quick search of the term “Netflix support software” would have told you about the scam.  Always think before you click, especially during tax season, and we can all live in a safer online world.