Santa Clara University

Information Security Office

News and Events

 
RSS

Information Security News and Events

News, events, views, tips, and hints for keeping your personal information private.

  •  Two Layers of Added Security

    Wednesday, Jul. 15, 2015

    To protect your account, passwords are a must. They provide you with added security to keep prying eyes away from your information and data. However, passwords can only do so much to keep your account safe. Passwords are stolen all the time. Doing things such as using the same password for more than one site, clicking on links in emails, or using a weak password can increase your chances of getting your password stolen. 

    (For more information about passwords, please visit: http://www.scu.edu/is/secure/guides/passwords.cfm)

    When someone steals your password, they can lock you out of your account and use it for malicious deeds. If you use the same password for multiple sites, the perpetrator may gain access to all of them. 

    This is where two-factor authentication (2FA) comes in. Most people have one layer (their password) to protect their account. 2FA adds a second level of authentication to an account log-in. If a bad guy hacks through your password level, 2FA makes it harder for him to get into your account. 

    2FA requires users to have 2 out of 3 types of credentials before they can access an account. The types are: 

    • something you know (PIN, password, pattern, etc.)
    • something you physically have (ATM card, security token, phone, text message, etc.)
    • something you are or do (fingerprint, voice, facial recognition, signature, etc.)

    Here is an example of a 2FA login:

    When you log on to your account, you enter your password and your phone gets a text message with a "code" that will give you access to your account. You will need both the password and code for the login process. 

    So what’s all the fuzz about two-factor authentication anyways? Why should I use 2FA? 

    Well, one of the biggest reasons to use 2FA is the added security it gives you. 2FA makes it harder for attackers to hack into your account; instead of trying to bypass one layer of security, the attacker has to bypass two layers. However, this doesn’t mean that 2FA is a sure way to stop people from getting into your accounts. It just improves security with little effort on your part. 

    So does this mean that I can use easier passwords if I use 2FA?

    You have some leeway for using a slightly easier password now that you have an extra layer of security, but I would still highly recommend that you use strong passwords to keep your accounts more secure. 

    Okay, so what are some downsides to 2FA?

    One downside to 2FA is that most people use it on their cellphones. I admit that this is the most convenient method, but if you’re using your phone to enter both a password and the second layer of security, it becomes less secure. There’s always a risk that your phone could be stolen or that malicious apps might attempt to steal your stored passwords. Nowadays, a typical cellphone contains everything but the physical keys to your door.

    The other downside is that 2FA can be a hassle. It takes a moment to setup, but when you want to login in, 2FA requires that you have access to the thing that you are using for 2FA. This is also why more and more people are using their smartphones as the token. 

    Some sites that allows for two-factor authentication:

    • Facebook
    • Gmail
    • Twitter
    • LinkedIn

    Now that you know a little more about two-factor authentication, the ball is in your court. Some people chose to use 2FA, while others opt not to. What will you do?

     

  •  Password Managers

    Wednesday, May. 27, 2015
    lock computer
    PASSWORD MANAGERS*
     
    What is a Password Manager Tool?
    A password manager tool is software that helps users to encrypt, store, and manage passwords.  The tool also helps users to create secure passwords and automatically log into websites.
     
    Who Might Use a Password Manager Tool and Why?
    People should use unique passwords for each website or system they login to in order to help minimize the impact from the breach of one website or system.  However, most users cannot remember a separate password for many sites and tend to reuse the same password or write them on sticky notes attached to their computer. Password manager tools allow users to more securely manage many distinct passwords and automatically log them into websites.
     
    Benefits to Using a Password Manager Tool
    Password manager tools enable users to create and securely maintain unique passwords for websites and other systems without having to memorize or write down passwords.
     
    Risks to Consider When Using a Password Manager Tool
    Special care should be taken to secure the password tool since it will grant access to all passwords.  The “master” password that grants access to the tool should be a very strong, complex, and unique password; use multifactor authentication if possible.  Additional considerations should be made about whether you want your password management tool to store the passwords locally or in the cloud.
     
    List of Technology/Tools That a User Might Consider
    Below are three popular password manager tools that an end user might consider for use.  Users should evaluate which tool works best for their own unique purposes.  The Information Security Office does not recommend the use of a particular tool. End users employ these tools at their own risk.
     
    LastPass (https://lastpass.com/) is easy to use, supports most popular browsers and mobile devices, offers multifactor authentication options for the master password, notifications for hacked sites, does not share the encryption key with LastPass, provides a password strength indicator, and performs additional password tests like ensuring that you’re not using the same password across multiple sites.  However, the ease of use requires that the password database be stored in the cloud. Additionally, as a web-based tool, your password database is available to anyone in the world with an Internet connection and your master password. For this reason, it is strongly recommended that you use multifactor authentication. 
     
    KeePass (http://keepass.info/ and http://www.keepassx.org) does not share encryption keys with KeePass, provides a password strength indicator, and the password database is not stored in the cloud.  Ease of use across multiple devices is a little more complex as the user needs to maintain access to their private password database manually.
     
    1Password (https://agilebits.com/onepassword) does not share encryption keys with 1Password, provides a password strength indicator, and the password database can be stored in Apple’s iCloud, DropBox or locally on personal devices.  Ease of use across multiple devices is easy if stored in the cloud, but more secure if stored locally.  The iOS version can be configured to support Touch ID on compatible devices.
     
    Higher Education Reference Pages
     
    Boston University 
     
    Indiana University 
     
    Pepperdine University
     
    Purdue University
     
    University of Illinois at Urbana-Champaign
     
    Adapted with permission from EDUCAUSE and the Higher Education Information Security Council
    *not written by the author
  •  Be Wary of Telephone Scams

    Wednesday, Apr. 29, 2015

    Not only do cyber criminals send you fradulent (phishing) email messages and set up fake websites, they also may call you on the phone. Often times, they will offer to help solve your (nonexistent) computer problems or sell you a software license. The most common type of phone scams is tech support scams. Cyber criminals can be very persuasive in getting you to trust them. They might know your name and other personal information, usually gained from public phone directories or even through research. They might even guess what operating system you're using. After they have gained your trust, they might ask for your username and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable. 

    Once they have access to your computer, they will be able to do the following things:

    • Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
    • Take control of your computer remotely and adjust settings to leave your computer vulnerable.
    • Request credit card information so they can bill you for phony services.
    • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.

    So how can I protect myself from phone tech support scams?

    • If you feel that you have received a fraudulent phone call :
    • Do not purchase any software or services.
    • Ask if there is a fee or subscription associated with the "service." If there is, hang up.
    • Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer
    • Take the caller's information down and immediately report it to your local authorities.
    • Never provide your credit card or financial information.

    More information

    http://scu.edu/is/secure/blog/index.cfm?c=19636 

     

  •  Encrypt Zip Files

    Friday, Feb. 20, 2015
    7zip logo

    Need to encrypt your files, but don't have the software to do it? LOOK NO FURTHER! I am here to show you how to encrypt your files! 

    If you are Mac user, please follow this link (click here) to encrypt your files because the software I will be talking about is for Window users. Alternatively, you can download Keka, which is a free file archiver for Mac OS X, here. Instructions on how to use Keka can be found here.

    If you are a Window user, please keep reading. If you use Linux, you can google it or click here: (option 1) or (option 2)

    Let's get started. The software that I will be talking about is called 7-Zip.

    7-Zip is an open source software used to compress or zip files secured with encryption. Alternatively, you can also use WinZip (click here for WinZip). To download 7-Zip, click here

    After the software as been installed, you can proceed to encrypt a file or folder:

    STEP 1:

    Right click on the file/folder to be encrypted. 

    Select "7-Zip" and then "Add to archive"

    STEP 2:

    Change the name of the archive you wish to create.

    7zip2a

    STEP 3:

    Change the Archieve format to "Zip".

    7zip3a

    STEP 4:

    Change the Encryption method to "AES-256". You can also select ZipCrypto, but AES-256 is more secure. However, if AES-256 is selected, the recipient of the zip file may have to install 7-Zip or another zip program to open it. Selecting ZipCrypto allows users to open a zip file in Windows without a zip program. 

    I strongly recommend that you use AES-256 to protect your data. 

    7zip5a

    STEP 5:

    Enter a strong password. Here are some tips on how create a strong password: (option 1) or (option 2).

    7zip5a

    STEP 6:

    Select "OK" to create the encrypted archive file. This file will be located in same file as the original.

    You have encrpyted your file! Congratulations! 

    *to open the file, you just need to enter the password

     

     

     

     

     

  •  Treats for Password Changes

    Monday, Nov. 10, 2014

     Join the Information Security Office and the Markkula Center for Applied Ethics this Thursday for "Treats for Password Changes". Protect your privacy by changing your password and get a treat in return! Cookie Monster approves! #freecookies

  •  Shred Fest 2014

    Wednesday, Oct. 8, 2014
    shred fest poster 2014

    Free Document Shredding

    DATE: Tuesday, Oct 21 - Thursday, Oct 23
    TIME: 11:00AM - 1:30PM
    WHERE: The shred truck will be parked on Sherman St. in front of Campus Safety Services.
    Purpose: Bring your sensitive and outdated paper documents, CDs, and DVDs for secure destruction

     

    Reasons to Shred:         
    • Shredding keeps personal information confidential
    • Shredding helps prevent identity theft and fraud
    • Shredding keeps business information confidential
    • Shredding is environmentally friendly
      • Documents are recycled, saving trees and energy
      • Less waste goes to landfills
    • Shredding helps organizations comply with Federal and State laws, as well as Industry regulations
      • FERPA - Family Educational Rights and Privacy Act
        • Protects student information
      • HIPPA - Health Insurance Portability and Accountability Act
        • Protects patient information
      • FACTA - Fair and Accurate Credit Transactions Act
        • Protects credit card holder information
      • GLBA - Grann Leach Bliley Act
        • Protects financial information
      • SOX - Sarbanes Oxley Act
        • Protects stockholder information
      • PCI-DSS - Payment Card Industry Data Security Standard
     
    What should I shred?
     
    ·       Deposit, ATM, credit card and debit card receipts
    ·       Credit card and bank account statements
    ·       Credit card contracts and other loan agreements
    ·       Documentation of a purchase or sale of stocks, bonds and other investments
    ·       Utility or monthly bills 
    ·       Legal Files
    ·       Paycheck Stubs
    ·       Computer Discs
    ·       Tapes
    ·       Computer CD's/DVD’s
    ·       Personnel Records
    ·       Credit Reports
    ·       Tax Records
    ·       Bank Statements
    ·       Legal Contracts
    ·       Medical Records
    ·       Real Estate Form
    ·       Whatever you want
     
    *Shred Fest is Powered by Pantera Shredding Services

     

  •  What Apps Have Access to Your Facebook and Twitter?

    Monday, Jun. 30, 2014

    While social media sites such as Facebook and Twitter make it easy to share things with your friends, they also make it easy to log in to various services and applications, too. As authentication brokers, these sites allows for their users to use their account credentials to sign into third-party sites. All the user has to do is to give permission for those sites to access their profile data.

    Facebook is a full-blown apps ecosystem. You may have added an app for a promotion or contest, played a game, or added new functionality such as music streaming. In most cases, it just means the app developer has access to some of your profile data. In the worst-case scenario, a malicious developer behind the service can use your account to send out spam.

    When was the last time you’ve checked to see what apps have access to your Facebook and Twitter accounts? If you are like most Internet users, you are probably long overdue for a cleanup.

    Below, are steps on how to perform an audit. An audit will let you review all the apps on your account and determine if they should still have access.

    Auditing Facebook
    To see a similar list on Facebook, you need to click on the gear icon on the top right corner of the screen, and then Privacy Settings. Clicking on Apps in the left-column brings up the App Settings page.

    Facebook gear icon

    Facebook App Settings

    The Apps you use section displays all the applications that have access to the account. You can remove applications you are no longer using by clicking on the “x” for each row. If you are still using the app, click on Edit to make sure you are okay with the information the app is collecting and has access to.

    Next, check the Apps others use (underneath Apps you use) setting as well, since apps, games, and websites your friends are using can also access your personal details, photos and updates. In this section, you can select which pieces of information your friends’ apps can access. You may not be comfortable with an app you are not using having access to your data. This is your chance to do something about it.

    Facebook Apps others use

    If you are adament about not using Facebook apps, there is another option. After removing every app, if you click on Edit, you can turn the platform off. If you do so, you won’t be able to log in to sites using Facebook or add any apps until you turn it back on. 

    Auditing Twitter
    You can view all the apps that have access to your Twitter account by clicking on the gear icon on the top right hand corner of the Twitter home page. Click on Edit Profile in the drop down menu that appears, and then on Apps in the Profile page’s left column.

    Twitter apps Gear icon

    Twitter apps

    This displays a list of applications you’ve granted access to your Twitter account. Are you surprised by the number of apps here? Revoke access to apps that you don’t recognize, or know that you no longer use. If you aren’t sure, remove them anyway. The worst thing that can happen is that the app will prompt you to re-authorize it the next time you need it. And if you never get prompted, then you clearly weren’t using it.

    You can revoke an app simply by clicking on the Revoke access button next to each app name. If you make a mistake, you can always re-enable access by clicking on the Undo Revoke Access button.

    Why Audit?
    You reduce your risk of unauthorized use of these apps, cut down on the chances of spammers taking over your account, and even remind yourself of tools and services you may have forgotten about. It’s a good idea to review your apps on a regular basis. Whether that’s once a quarter, twice a year, or annually depends entirely on your app usage. Just don’t neglect this aspect of maintenance. Your data will thank you.

    social media icon
  •  Important Security Measure iPhone

    Tuesday, May. 27, 2014

    Early Tuesday, a number of Australian iPhone and iPad owners awoke to find their devices locked, with an alert asking for $50 to $100 to give access back.

    Moral: It's easier than you think for someone to get into your Apple products -- even if a thief doesn't have the actual iPhone in his or her hands.

    How to make  yourself  much safer?

    Start using two-step verification for your Apple ID.

    When you enable two-step verification, Apple will make you prove you're actually you whenever you buy anything on iTunes, the App Store or the iBooks Store. It works like this: Apple will text you a code anytime you try to sign into your Apple account to make a purchase. You will then have to input that number to verify your identity. That way, nobody else can access your account unless they have both your password and your device, making it far more difficult to steal your identity and credit card information.

    Here's how you do it:

    First, go to the Apple ID site, click "Manage your Apple ID" and sign in. From there, click "Password and Security."

    iphone security

    From there, you'll see "Two-Step Verification." Under that you should click "Get started..."

    iphone security

    There you'll be able to sign up for two-step verification. For security reasons, Apple makes you wait three days after setting up two-step verification for it to take effect. Once you sign up, you'll get an email telling you exactly when you'll be able to use it.

    Once you have two-step verification, this is how it works when you sign into Apple to make a purchase:

    iphone security

    You'll also get a Recovery Key, which is a 14-digit series of numbers and letters that you can use to access your account if you ever lose access to your iPhone and are unable to receive text messages. Apple recommends you print our your Recovery Key and keep it in a safe place.

    Many people don't think about Apple security -- even though the devices and accounts can contain a ton of personal information. Half of iPhone users don't even use their phone's regular passcode, and some people probably still haven't updated their iPhones after a major security flaw was discovered in February. Two-step verification is just one extra way you can protect yourself.

  •  De-Cloud Your Life

    Wednesday, May. 21, 2014

    The term "the cloud" can be used to refer to the Internet. Marketers have popularized the phrase "in the cloud" to refer to software, platforms, and infrastructure that are sold as a service. Usually, the seller has servers that host products and services from a remote location, so users don't have to. They can just log on to the network without installing anything. These services may be offered in a public, private, or mixed network. Google, Amazon, IBM, Oracle Cloud, Microsoft Azure, and Dropbox are some examples of cloud vendors.  

    Cloud services have expanded as more and more users are using the Internet. Cloud services can be quite useful as a cheap "offsite backup". For example, keeping documents or a list of serial numbers of your things in case of a robbery or catastrophic event, such as an earthquake.

    Let's use Dropbox for an example.

    Dropbox usually requires a username and password to access documents. It even offers a two-factor solution as an option. However, a user can allow others to view a document by sending them a "secret link". But links can be easily leaked. As users rely more on cloud services to share files, with passwords that are too troublesome to set up, leaked links will become more commonplace. 

    Let's assume that the cloud service works as designed and your username and password is strong enough. But when you share files with other people, you run the risk of others not taking extra care with the files as you would. Their passwords could be weaker than yours or they could share the link onto the Internet.  

    Although cloud services are good, there are just some information that you shouldn't store into the cloud, such as confidential, personal, finacial, or medical information, unless you encrypt them before uploading. 

    Here are a couple of ways to "de-cloud" your life:

    • Setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.
    • Run your own mail server: This can be a real pain and even large companies move mail services to cloud providers. But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.
    • Offsite backup at a friend's or relative's house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.
    • For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.
  •  Beware Telephone Scam! That Say Your Computer Has a Virus

    Monday, May. 12, 2014

    Recently,some people at SCU have gotten unsolicited phone calls offering to fix their computers.If that happened to you,make sure you do not do anything the caller asks you to do.It is most likely a phone scam.Even if you wouldn't be fooled, please warn friends and relatives (especially elderly ones) who might not be aware of scams like this. Victims of this fraud could suffer anything from identity theft to having their computer hijacked and used to send spam or viruses without their knowledge.

    Where to Report Phone Fraud

     What If They Put a Virus on My Computer?

     

Information Security Office, 1-408-554-5554, iso@scu.edu