Information Security News and Events
News, events, views, tips, and hints for keeping your personal information private.
Monday, Jun. 30, 2014
While social media sites such as Facebook and Twitter make it easy to share things with your friends, they also make it easy to log in to various services and applications, too. As authentication brokers, these sites allows for their users to use their account credentials to sign into third-party sites. All the user has to do is to give permission for those sites to access their profile data.
Facebook is a full-blown apps ecosystem. You may have added an app for a promotion or contest, played a game, or added new functionality such as music streaming. In most cases, it just means the app developer has access to some of your profile data. In the worst-case scenario, a malicious developer behind the service can use your account to send out spam.
When was the last time you’ve checked to see what apps have access to your Facebook and Twitter accounts? If you are like most Internet users, you are probably long overdue for a cleanup.
Below, are steps on how to perform an audit. An audit will let you review all the apps on your account and determine if they should still have access.
To see a similar list on Facebook, you need to click on the gear icon on the top right corner of the screen, and then Privacy Settings. Clicking on Apps in the left-column brings up the App Settings page.
The Apps you use section displays all the applications that have access to the account. You can remove applications you are no longer using by clicking on the “x” for each row. If you are still using the app, click on Edit to make sure you are okay with the information the app is collecting and has access to.
Next, check the Apps others use (underneath Apps you use) setting as well, since apps, games, and websites your friends are using can also access your personal details, photos and updates. In this section, you can select which pieces of information your friends’ apps can access. You may not be comfortable with an app you are not using having access to your data. This is your chance to do something about it.
If you are adament about not using Facebook apps, there is another option. After removing every app, if you click on Edit, you can turn the platform off. If you do so, you won’t be able to log in to sites using Facebook or add any apps until you turn it back on.
You can view all the apps that have access to your Twitter account by clicking on the gear icon on the top right hand corner of the Twitter home page. Click on Edit Profile in the drop down menu that appears, and then on Apps in the Profile page’s left column.
This displays a list of applications you’ve granted access to your Twitter account. Are you surprised by the number of apps here? Revoke access to apps that you don’t recognize, or know that you no longer use. If you aren’t sure, remove them anyway. The worst thing that can happen is that the app will prompt you to re-authorize it the next time you need it. And if you never get prompted, then you clearly weren’t using it.
You can revoke an app simply by clicking on the Revoke access button next to each app name. If you make a mistake, you can always re-enable access by clicking on the Undo Revoke Access button.
You reduce your risk of unauthorized use of these apps, cut down on the chances of spammers taking over your account, and even remind yourself of tools and services you may have forgotten about. It’s a good idea to review your apps on a regular basis. Whether that’s once a quarter, twice a year, or annually depends entirely on your app usage. Just don’t neglect this aspect of maintenance. Your data will thank you.
Tuesday, May. 27, 2014
Early Tuesday, a number of Australian iPhone and iPad owners awoke to find their devices locked, with an alert asking for $50 to $100 to give access back.
Moral: It's easier than you think for someone to get into your Apple products -- even if a thief doesn't have the actual iPhone in his or her hands.
How to make yourself much safer?
Start using two-step verification for your Apple ID.
When you enable two-step verification, Apple will make you prove you're actually you whenever you buy anything on iTunes, the App Store or the iBooks Store. It works like this: Apple will text you a code anytime you try to sign into your Apple account to make a purchase. You will then have to input that number to verify your identity. That way, nobody else can access your account unless they have both your password and your device, making it far more difficult to steal your identity and credit card information.
Here's how you do it:
First, go to the Apple ID site, click "Manage your Apple ID" and sign in. From there, click "Password and Security."
From there, you'll see "Two-Step Verification." Under that you should click "Get started..."
There you'll be able to sign up for two-step verification. For security reasons, Apple makes you wait three days after setting up two-step verification for it to take effect. Once you sign up, you'll get an email telling you exactly when you'll be able to use it.
Once you have two-step verification, this is how it works when you sign into Apple to make a purchase:
You'll also get a Recovery Key, which is a 14-digit series of numbers and letters that you can use to access your account if you ever lose access to your iPhone and are unable to receive text messages. Apple recommends you print our your Recovery Key and keep it in a safe place.
Many people don't think about Apple security -- even though the devices and accounts can contain a ton of personal information. Half of iPhone users don't even use their phone's regular passcode, and some people probably still haven't updated their iPhones after a major security flaw was discovered in February. Two-step verification is just one extra way you can protect yourself.
Wednesday, May. 21, 2014
The term "the cloud" can be used to refer to the Internet. Marketers have popularized the phrase "in the cloud" to refer to software, platforms, and infrastructure that are sold as a service. Usually, the seller has servers that host products and services from a remote location, so users don't have to. They can just log on to the network without installing anything. These services may be offered in a public, private, or mixed network. Google, Amazon, IBM, Oracle Cloud, Microsoft Azure, and Dropbox are some examples of cloud vendors.
Cloud services have expanded as more and more users are using the Internet. Cloud services can be quite useful as a cheap "offsite backup". For example, keeping documents or a list of serial numbers of your things in case of a robbery or catastrophic event, such as an earthquake.
Let's use Dropbox for an example.
Dropbox usually requires a username and password to access documents. It even offers a two-factor solution as an option. However, a user can allow others to view a document by sending them a "secret link". But links can be easily leaked. As users rely more on cloud services to share files, with passwords that are too troublesome to set up, leaked links will become more commonplace.
Let's assume that the cloud service works as designed and your username and password is strong enough. But when you share files with other people, you run the risk of others not taking extra care with the files as you would. Their passwords could be weaker than yours or they could share the link onto the Internet.
Although cloud services are good, there are just some information that you shouldn't store into the cloud, such as confidential, personal, finacial, or medical information, unless you encrypt them before uploading.
Here are a couple of ways to "de-cloud" your life:
- Setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.
- Run your own mail server: This can be a real pain and even large companies move mail services to cloud providers. But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.
- Offsite backup at a friend's or relative's house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.
- For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.
Monday, May. 12, 2014
Recently,some people at SCU have gotten unsolicited phone calls offering to fix their computers.If that happened to you,make sure you do not do anything the caller asks you to do.It is most likely a phone scam.Even if you wouldn't be fooled, please warn friends and relatives (especially elderly ones) who might not be aware of scams like this. Victims of this fraud could suffer anything from identity theft to having their computer hijacked and used to send spam or viruses without their knowledge.
Where to Report Phone Fraud
- National Do Not Call Registry
The U.S. National Do Not Call Registry allows you to register your phone number. U.S. telemarketers are legally required to check this list; if they call numbers on it, they're liable for prosecution. Enforcement isn't great, but every bit helps.
- FTC Bureau of Consumer Protection - Consumer Information
The Federal Trade Commission doesn't resolve individual consumer complaints, but if there's enough reports of the same fraud, they may be able to go after the scam and shut it down.
What If They Put a Virus on My Computer?
Wednesday, May. 7, 2014
Authentication methods used by Facebook, Google, and many other popular websites could be redirected by attackers.
A security researcher has uncovered serious security vulnerabilities in the technologies used by many websites to authenticate users via third-party websites. A blog posted late last week revealed the details of security flaws in OAuth 2.0 and OpenID, two technologies that are widely used by the Web's most popular sites to more quickly and easily verify the identity of a user.
The vulnerability was discovered by Wang Jing, a PhD student in mathematics at Nanyang Technological University. If you have ever allowed an application or website to verify your identity using your Facebook, Twitter, or Google account, then you have likely used OAuth or OpenID.
OAuth is an open standard for authorization that gives client applications secure, delegated access to server resources on behalf of a resource owner. OpenID an open standard that allows users to be authenticated by certain cooperating sites using a third party service, eliminating the need for webmasters to provide their own authentication systems and allowing users to consolidate their digital identities. The vulnerability could allow an attacker to redirect the "token" used by OAuth 2.0 to access user information on a third-party site, making it possible to steal information such as the email address, age, or location of a user, the blog says. In OpenID, the vulnerability could enable attackers to collect user's information directly.
Google (which uses OpenID) told that the problem has been tracked, while Linkedin said that the company has published a blog on the matter. Microsoft said an investigation has been done and that the vulnerability existed on the domain of a third party and not on its own sites.
While this issue isn't as severe as Heartbleed, its relatively easy to do so unless the flaw gets patched, which is quite difficult to implement due to third party sites having "little incentive" to fix the problem. Cost is a factor, as well as the view that the host company (such as facebook) bears the responsibilty for making the attacks appear more credible.
Tuesday, Apr. 29, 2014
Internet security firm, FireEye, has identified a bug in Microsoft’s Internet Explorer versions 6 - 11 which can allow attackers to take control of computers using Microsoft’s popular web browser. Government and industry computer security experts recommend that people use alternative browsers, like Mozilla Firefox or Google Chrome, until Microsoft releases a patch.
While there are technical work-arounds to mitigate the problem, SCU’s Information Security Office suggests following the experts’ advice and use an alternative browser until the patch from Microsoft is made public.
More details are available here:
Friday, Apr. 25, 2014
25 Most Popular Passwords
--If yours is on the list, it is time to change!
Wednesday, Apr. 9, 2014
Immediate action required whether you use a PC, Mac, or smartphone. Researchers have discovered a critical bug in the communication protocol that is used to secure transactions on an estimated 500,000 websites. When you log into a website, your username and password are sent to that website's server. Typically your credentials are encrypted using a protocol called Secure Sockets Layer, or SSL. One of the most commonly used implementations of SSL is called OpenSSL and it is used by approximately 66% of websites.
Heartbleed is a bug in OpenSSL that allows attackers to decode and read text from emails, instant messages, passwords, even business documents -- anything sent to a vulnerable site's server. Heartbleed is so critical that almost every major web site and vendor service is scrambling to resolve it.
Google has released a statement that their sites are not vulnerable. SCU’s technical staff is working with our vendors to identify and address the issue on other SCU systems.
SCU's Information Security Office strongly recommends that you change your SCU Network ID and eCampus passwords right away.
You can change your Network ID password here: https://sso.scu.edu/gam/passwords.html.
We also recommend changing passwords for all sites where you conduct financial or personal business. Be sure to use long and strong passwords and change them regularly.
More information about Heartbleed
Tuesday, Mar. 4, 2014
Apple has reported a flaw in their code for iOS versions 6 and 7, as well as Mac OS X 10.9.1 (Mavericks). The bug allows hackers to intercept and decrypt SSL-encrypted network connections. That means email or other online transactions can be read by attackers, who can possibly gather sensitive, personal information.
Apple's Safari web browser and Mail client, and other apps such as Face, iMessage, and some third-party programs running on iOS versions 6 and 7, and OS X 10.9.1 are vulnerable to SSL snoopers. However, Google Chrome and Mozilla Firefox are not vulnerable, as they use a different SSL library.
Maverick (running 10.9.0 or 10.9.1) and iPhone users should install the Update as soon as possible. You can get it by running Software Update.
About the OS X Mavericks v10.9.2 Update
Security updates for Apple products.
Thursday, Dec. 5, 2013
There has been much press about a nasty peice of malicious software (malware) called Cryptolocker. Here is the rest of the story
What is CryptoLocker?
CryptoLocker is a particularly malicious ransomware program.
How do you get infected?
CryptoLocker is a trojan horse. It is typically spread through email attachments and phishing attacks.
What does it do?
After CrytopLocker gets installed it quietly starts encrypting your files. After it's encrypted enough files it will present you with a popup window telling you what it has done and instructing you to pay (usually $150-300) if you'd like your files back. You have 72 hrs to comply (though this has changed recently, being more lenient - if you're willing to pay they will take your money and decrypt your files).
How do you protect against CryptoLocker?
CryptoLocker is a serious threat. If you do get infected you're either going to have to pay the ransom or say goodbye to family photographs and important personal data. We do not recommend that you pay the ransom--these are criminals and have taken credit card numbers without decrypting the data.
- Keep your operating system (OS) up to date with the latest patches.
- Install anti-virus software on your computers if you don't already have it installed. Keep this up to date as well. Here is a link to Symantec’s description of how their software protects against Cryptolocker: http://www.symantec.com/connect/blogs/ransomcrypt-thriving-menace
- Make backups of important data in a regular basis.
- Only browse to trusted websites.
- Only open email attachments or links from trusted sources.
If you think your computer is infected, call the IT service center at (408)554-5700
To learn much more about CryptoLocker the Malwarebtes blog has this: