Information Security Alert June 2016

Page 1

Information Security News Alert June 2016

Living a Healthy Cyberlife How Simple Habits Strengthen Your Security & Privacy

Building Strong Passwords

2FA WHAT IT IS, HOW IT WORKS, & HOW IT FORTIFIES YOUR SECURITY

Fight Back Against Data Mining The Future of Passwords Toughen up Logins with Biometrics!

QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu

Bob Lavner 508-767-7006 blavner@assumption.edu

DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.


THREE STEPS TO A HEALTHY CYBER LIFE

JUST ASK ANY DOCTOR! They tell us to eat right, exercise daily and sleep more to maintain our health. These healthy habits, when part of our daily routine, make us feel better, allow us to indulge occasionally and give us more energy to fully enjoy our lives. Just ask any security expert! They will tell us to create strong passwords,

run

antivirus

and

malware detection software, use a VPN on public networks and to always, always, ‘think before you

click.’ These simple practices, when part of our daily routine, will help keep our computers free of hostile software, and will better protect our

Eating Right: That old saying, “you are what you eat,” can easily be applied to the cyber world: YOU are only as strong as your weakest password. Eating right, in this case, means “a well balanced password” by using strong, hard-to-guess words and phrases, and never using the same password twice. Why would you use “bankpassword” to protect and access your banking information? Or “onlinetrading” for your online trading account? That’s obviously the wrong way to pick a password. Don’t forget that your electronic identity, your username and password, is all that stands between your data and criminals. Exercise Daily: You want to feel better about your security habits and the privacy of your data? Change your passwords regularly. Set a calendar reminder if you have to. Routinely updating passwords is hard work but it pays off, just like hitting the gym three or more times a week. Nobody wants to do it, but everybody wants the results. Of course, by using a password manager for your personal and mobile lives, your passwords will be exercised on a regular basis! At work, find out if there is a company-approved password manager you can use, and remember to always follow policy!

personal and business data, all while we continue to enjoy the wonders of technology. In short, if we treat our online presence the way we should treat our bodies, healthy living in the cyber world is easy to understand. This way we can have a ‘healthier’ online experience while we ‘eat our cake’, too!

Get More Sleep: Anti-virus and anti-malware software allows us to surf the web mostly worry free, especially since it should be set to update itself fairly often, without involving you. Keep your personal anti-malware software up to date. You should also regularly back up important personal documents (photos, taxes, medical records, financials, that novel you’ve been working on, etc.). At work, never install or modify any software without permission.


Passphrases: The Smart Alternative In cyber security, length matters. As such, passphrases—an easy way to generate strong access codes—are the smarter and safer alternative to traditional passwords. A passphrase is simply a sequence of words, numbers and/or symbols that are hard to guess but easy for you to remember. Creating a long passphrase isn’t enough. Uniqueness is key. Using common sayings or quoting common sources is no more secure than using common passwords. “Seize the day” is not a strong passphrase. “I have a collection of zombie turtles” is a much stronger passphrase. Unless, of course, you do actually have a collection of zombie turtles and tweet about them frequently, in which case this passphrase becomes a liability. Practicing some common sense with your passphrase is obviously essential. Remember is should be easy for YOU to remember BUT hard for others to guess.

2bOrN2bT!zT? Longer might be great, but random is better. Creating passphrases and passwords from the first letter or two from each word in a phrase is more secure than a single word or group of numbers (unfortunately, 123456 is still one of the most commonly used passwords). Abbreviating a passphrase as an acronym makes it easier to use on a smartphone, and circumvents any short character limits you may run into on various sites.

To be, or not to be, that is the question.

H

2bOrN2bT!zT?

With great power, comes great responsibility.

o

WgrPcGRe!!

S

The needs of the many outweigh the needs of the few.

TNotm0tNotF!

At work, always follow policy for generating passwords, and if you don't know ask!

TOOLS & TASKS

to keep your ACCOUNTS SECURE Remember: follow policy at work and only use company-approved password managers, if allowed. Use a password manager. Password managers generate strong, unique passwords and sync them across all of your devices. They are inexpensive, easy to use and eliminate the need to remember all but one master password. Change your passwords every month. According to a recent study, 47% of consumers have a password that’s at least five years old, and 77% have a password that hasn’t been changed in a year. The longer your password goes unchanged, the bigger the risk it is to your security. Enable two- or multi-factor authentication. Also known as 2FA/MFA, this system requires more than one authentication method to access an account. For example, some websites will send a code to your mobile phone as the second factor of authentication. That way, a criminal can’t access your account even with a cracked password because they won’t have access to the code. This will also notify you if someone is attempting to log in. (See more on 2FA on the next page.) Use a different password for every account. The temptation is to use one or two passcodes for everything, but that would be like making a single key for all the locks on your house, car, office, safe, etc. Again, a password manager makes unique passwords easy, so you should really consider using one on all of your personal devices.


Two Factors are better than One HOW 2FA WORKS

> > > > > > > > > > > > > > FACT FLASH

>>>>>>>>>>>>>

le two-factor authentication, Many websites and apps enab plement stronger security. or 2FA, if the user chooses to im

SOMETHING YOU OWN & KNOW

TO REMEMBER OR NOT?

You enter your credentials, often

Have you ever been asked to input

just a username. This is the first factor

your zip code at a gas pump when

this

of authentication. If that is recognized,

using a credit card? That is a form of

effectively circumvents 2FA for all

a “challenge” to the authentication is

2FA. The requested zip code, in this

subsequent visits after the initial

initiated, via a text message, phone call

case, is the second factor (the physical

credentials have been established. The

or email, containing a pin number or

card being the first factor). This is also

purpose is to notify you, via email or

passcode. This is the second factor. The

known as “Something You Own (the

SMS, when your account is accessed

idea is that if a bad guy attempts to log

credit card) and Something You Know

from an unverified source, which could

in to your account, you will be notified

(the zip code)”, an enhancement over

even be a new device you just bought.

immediately on a verified communication

traditional passwords. Expect to see

Access is denied until the secondary

channel. Addition of this second step can

more enhanced authentication systems

pin or passcode is entered. When

stop unauthorized access and make you

in the coming months!

using a public or shared computer, be

instantly aware of any suspicious activity.

Many websites offer a “remember computer”

option,

which

sure to UNCHECK the “remember this computer” box. Better yet: avoid logging

Always follow policy at work when establishing log-in preferences.

E 150 140 130

into your accounts on a public computer.

Passwords of the Future ven the most unique passwords are vulnerable. Why?

make online purchases. The use of unique physical attributes

Because no matter how complicated passwords might

in place of passwords is convenient, and eliminates the need to

be, they are still stored in a database. Amazon, Netflix,

remember login credentials.

Facebook – every website that requires a login, stores

But is it more secure? In theory, biometrics solve

your password in their servers. All it takes is one data

the age-old problem of creating and remembering

breach to compromise your credentials, which is why

strong, unbreakable passwords. They also ignore a

you should never use the same login information for

security fundamental: the ability and necessity to

120 multiple accounts. 110 One proposed solution to our password problem, at

change passwords regularly. You can’t change your

100 least in the immediate future, is biometrics. Biometrics

data can always be compromised. Unfortunately,

fingerprint. Fingerprints are still stored as data and nothing in security is, or ever will be, perfect.

90

utilize measurable physical characteristics as a form

80

of authentication instead of passcodes. Examples

70

of biometrics include facial recognition, physical

like Google, Apple and Microsoft are investing in

60

gestures, fingerprints and voice recognition.

biometrics and implementing new authentication

50 40 30 20 10 0

Some smart devices, including phones and gaming

Breaches will still occur. Even though tech giants

procedures, there will never be an easy solution to

consoles, have already implemented some biometrics.

security. It’s still up to you, our Human Firewall,

App designers are utilizing fingerprint readers for

to maintain smart, security aware practices. And

login credentials. Gaming consoles are using facial

always follow policy. If you’re not sure, ask!

recognition to unlock accounts. Some credit card companies have apps allowing you to scan your face or fingerprint to


MINED YOUR DATA Your data can and will be used against you. The more information you make public, the easier it is to mine your social media profiles for data that can lead to cracking your passwords or data that can expose you to password cracking or spear phishing attacks against you and your family. In the criminal underground, data mining public information is called pharming, gathering up and sowing as much data as they can. Take this example from a few years ago: a high-profile public figure in Hong Kong hired an information security company to see if they could crack his passwords. The company turned to Facebook: “We found out through Facebook who his wife was… We found out through her likes—her public likes—that she ran a pilates studio. We could then send a phishing email to her based around the fact that she ran a pilates studio that was hiring.” The spear phishing attack worked. She opened an

email from a job candidate that contained a malicious attachment, and gave the security experts access to her entire computer. Facebook has since updated their policies and has removed Graph Search, which allowed users to search through all of the data Facebook has acquired from its billion users. This example shows how easy it is to exploit the information we share. And even though Graph Search is no longer active, there is still a long list of free data mining tools available for the bad guys to exploit. In fact, you might be surprised to learn how data mining is being utilized by major corporations to track consumer trends. Hospitals, for example, are hiring companies to mine consumer purchases in an effort to predict who might get sick. Major corporations, credit cards and social media sites are using data mining to analyze trends of users, often in hopes of gaining a competitive edge.

While it’s not illegal and, in some cases, is potentially useful for public safety (tracking terrorists and other criminal activities), data mining does bring up the question of security. You can avoid becoming a victim by following a few common sense steps:

Keep your accounts private. Unless you use social media for your brand or business, there is no reason to have a public account. Strangers don’t need to have access to your conversations and photos.

Only connect with people you know and trust in real life. If you don’t know or recognize the person that sent you a request, don’t friend or add them to your circle without verifying who they are.

Limit the amount of information you make public, even if your account is private. Things like date of birth, place of birth, phone numbers and email addresses can be used by criminals to steal your identity.

Always be skeptical of shared links, friend requests and instant messages to stay safe. Does it sound too good to be true? It probably is. Use caution and use common sense!

Stay informed of the security preferences of every network you join. These settings change over time. Routinely review what is being shared and what is kept private.

Protect your accounts with strong passwords (unique for every site!) and change them often. Remember: always check policy before signing into a social network at work.


HEADLINE NEWS EU General Data Protection Regulation Passes Final Legislative Hurdle

R

The EU’s General Data Protection Regulation (GDPR) is

Reuters @Reuters • May 5 272.3 million stolen accounts from popular email services for sale on Dark Web by Russian hacker reut.rs/1ZnbtXb

official and is slated to take effect in May 2018.

The key rules that will be put in place are: the right to be

forgotten, mandatory data breach notifications and data

protection officers, plus hefty fines for serious breaches. It

PAN

is not without criticism; some believe that despite its good

Palo Alto Networks @ PaloAltoNtwks • May 2 Iranian malware family called Infy has been attacking since 2007 bit.ly/1Weude7

intentions, it has created an unwarranted amount of difficulty for anyone looking to utilize data to grow their business

or civic group. But Justice commissioner Vera Jourová is confident that this was the right path to take, and said in a

statement that the GDPR will foster the trust of consumers

IS

Infosecurity @InfosecurityMag • May 2 Wendy’s in hot seat after hackers stole customers’ card info bit.ly/21EDGuk

S

Symantec @symantec • Apr 25 US prez primary apps gather PII & 50+% are exposing sensitive data symc.ly/1XUXWps

DE

Daily Echo @dailyecho • Apr 22 Large amount of confidential patient PHI found dumped in UK alleyway bit.ly/270mQKi

MK

MacKeeper @MacKeeper • Apr 22 Massive breach of 93.4M Mexican voter records found on US soil bit.ly/1Wh8ikv

and give organizations legal certainty. It will also require non-

EU businesses to rethink their own privacy models if they wish to continue doing business inside the Union. Read the full statement here: http://bit.ly/1V3hmdM.

URGENT: Uninstall QuickTime for Windows Immediately (Unless...) Apple announced that they will no longer provide security

updates for QuickTime on the Windows platform, and have

recommended that users uninstall it ASAP. The lack of future updates drastically increases the possibility of criminal

hackers exploiting newfound vulnerabilities that will remain forever unpatched. In fact, Trend Micro has sent out an alert

that their Zero Day Initiatives have already released advisories for two new, critical vulnerabilities found in the Windows

version of QuickTime. To read more and learn how to uninstall it, go here: http://bit.ly/1NbFnfY.

E.

Endgame • @EndgameInc • Apr 20 New ransomware TeslaCrypt spreads via spam with fake tracking link bit.ly/1U6NFqU

Unfortunately for Adobe customers, they will have to

continue to use QuickTime on Windows because certain

functionalities of the software depend on it. Adobe’s endgoal is to support everything natively without the need for QuickTime, but until then, Windows users are stuck with it. For more info from Adobe, visit: http://adobe.ly/1Znm0Sd.

SL

Securelist @Securelist • Apr 18 Moscow’s “smart traffic systems” have major security flaws that could create chaos if exploited bit.ly/240uCor


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.