Information Security News Alert June 2016
Living a Healthy Cyberlife How Simple Habits Strengthen Your Security & Privacy
Building Strong Passwords
2FA WHAT IT IS, HOW IT WORKS, & HOW IT FORTIFIES YOUR SECURITY
Fight Back Against Data Mining The Future of Passwords Toughen up Logins with Biometrics!
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
THREE STEPS TO A HEALTHY CYBER LIFE
JUST ASK ANY DOCTOR! They tell us to eat right, exercise daily and sleep more to maintain our health. These healthy habits, when part of our daily routine, make us feel better, allow us to indulge occasionally and give us more energy to fully enjoy our lives. Just ask any security expert! They will tell us to create strong passwords,
run
antivirus
and
malware detection software, use a VPN on public networks and to always, always, ‘think before you
click.’ These simple practices, when part of our daily routine, will help keep our computers free of hostile software, and will better protect our
Eating Right: That old saying, “you are what you eat,” can easily be applied to the cyber world: YOU are only as strong as your weakest password. Eating right, in this case, means “a well balanced password” by using strong, hard-to-guess words and phrases, and never using the same password twice. Why would you use “bankpassword” to protect and access your banking information? Or “onlinetrading” for your online trading account? That’s obviously the wrong way to pick a password. Don’t forget that your electronic identity, your username and password, is all that stands between your data and criminals. Exercise Daily: You want to feel better about your security habits and the privacy of your data? Change your passwords regularly. Set a calendar reminder if you have to. Routinely updating passwords is hard work but it pays off, just like hitting the gym three or more times a week. Nobody wants to do it, but everybody wants the results. Of course, by using a password manager for your personal and mobile lives, your passwords will be exercised on a regular basis! At work, find out if there is a company-approved password manager you can use, and remember to always follow policy!
personal and business data, all while we continue to enjoy the wonders of technology. In short, if we treat our online presence the way we should treat our bodies, healthy living in the cyber world is easy to understand. This way we can have a ‘healthier’ online experience while we ‘eat our cake’, too!
Get More Sleep: Anti-virus and anti-malware software allows us to surf the web mostly worry free, especially since it should be set to update itself fairly often, without involving you. Keep your personal anti-malware software up to date. You should also regularly back up important personal documents (photos, taxes, medical records, financials, that novel you’ve been working on, etc.). At work, never install or modify any software without permission.
Passphrases: The Smart Alternative In cyber security, length matters. As such, passphrases—an easy way to generate strong access codes—are the smarter and safer alternative to traditional passwords. A passphrase is simply a sequence of words, numbers and/or symbols that are hard to guess but easy for you to remember. Creating a long passphrase isn’t enough. Uniqueness is key. Using common sayings or quoting common sources is no more secure than using common passwords. “Seize the day” is not a strong passphrase. “I have a collection of zombie turtles” is a much stronger passphrase. Unless, of course, you do actually have a collection of zombie turtles and tweet about them frequently, in which case this passphrase becomes a liability. Practicing some common sense with your passphrase is obviously essential. Remember is should be easy for YOU to remember BUT hard for others to guess.
2bOrN2bT!zT? Longer might be great, but random is better. Creating passphrases and passwords from the first letter or two from each word in a phrase is more secure than a single word or group of numbers (unfortunately, 123456 is still one of the most commonly used passwords). Abbreviating a passphrase as an acronym makes it easier to use on a smartphone, and circumvents any short character limits you may run into on various sites.
To be, or not to be, that is the question.
H
2bOrN2bT!zT?
With great power, comes great responsibility.
o
WgrPcGRe!!
S
The needs of the many outweigh the needs of the few.
TNotm0tNotF!
At work, always follow policy for generating passwords, and if you don't know ask!
TOOLS & TASKS
to keep your ACCOUNTS SECURE Remember: follow policy at work and only use company-approved password managers, if allowed. Use a password manager. Password managers generate strong, unique passwords and sync them across all of your devices. They are inexpensive, easy to use and eliminate the need to remember all but one master password. Change your passwords every month. According to a recent study, 47% of consumers have a password that’s at least five years old, and 77% have a password that hasn’t been changed in a year. The longer your password goes unchanged, the bigger the risk it is to your security. Enable two- or multi-factor authentication. Also known as 2FA/MFA, this system requires more than one authentication method to access an account. For example, some websites will send a code to your mobile phone as the second factor of authentication. That way, a criminal can’t access your account even with a cracked password because they won’t have access to the code. This will also notify you if someone is attempting to log in. (See more on 2FA on the next page.) Use a different password for every account. The temptation is to use one or two passcodes for everything, but that would be like making a single key for all the locks on your house, car, office, safe, etc. Again, a password manager makes unique passwords easy, so you should really consider using one on all of your personal devices.
Two Factors are better than One HOW 2FA WORKS
> > > > > > > > > > > > > > FACT FLASH
>>>>>>>>>>>>>
le two-factor authentication, Many websites and apps enab plement stronger security. or 2FA, if the user chooses to im
SOMETHING YOU OWN & KNOW
TO REMEMBER OR NOT?
You enter your credentials, often
Have you ever been asked to input
just a username. This is the first factor
your zip code at a gas pump when
this
of authentication. If that is recognized,
using a credit card? That is a form of
effectively circumvents 2FA for all
a “challenge” to the authentication is
2FA. The requested zip code, in this
subsequent visits after the initial
initiated, via a text message, phone call
case, is the second factor (the physical
credentials have been established. The
or email, containing a pin number or
card being the first factor). This is also
purpose is to notify you, via email or
passcode. This is the second factor. The
known as “Something You Own (the
SMS, when your account is accessed
idea is that if a bad guy attempts to log
credit card) and Something You Know
from an unverified source, which could
in to your account, you will be notified
(the zip code)”, an enhancement over
even be a new device you just bought.
immediately on a verified communication
traditional passwords. Expect to see
Access is denied until the secondary
channel. Addition of this second step can
more enhanced authentication systems
pin or passcode is entered. When
stop unauthorized access and make you
in the coming months!
using a public or shared computer, be
instantly aware of any suspicious activity.
Many websites offer a “remember computer”
option,
which
sure to UNCHECK the “remember this computer” box. Better yet: avoid logging
Always follow policy at work when establishing log-in preferences.
E 150 140 130
into your accounts on a public computer.
Passwords of the Future ven the most unique passwords are vulnerable. Why?
make online purchases. The use of unique physical attributes
Because no matter how complicated passwords might
in place of passwords is convenient, and eliminates the need to
be, they are still stored in a database. Amazon, Netflix,
remember login credentials.
Facebook – every website that requires a login, stores
But is it more secure? In theory, biometrics solve
your password in their servers. All it takes is one data
the age-old problem of creating and remembering
breach to compromise your credentials, which is why
strong, unbreakable passwords. They also ignore a
you should never use the same login information for
security fundamental: the ability and necessity to
120 multiple accounts. 110 One proposed solution to our password problem, at
change passwords regularly. You can’t change your
100 least in the immediate future, is biometrics. Biometrics
data can always be compromised. Unfortunately,
fingerprint. Fingerprints are still stored as data and nothing in security is, or ever will be, perfect.
90
utilize measurable physical characteristics as a form
80
of authentication instead of passcodes. Examples
70
of biometrics include facial recognition, physical
like Google, Apple and Microsoft are investing in
60
gestures, fingerprints and voice recognition.
biometrics and implementing new authentication
50 40 30 20 10 0
Some smart devices, including phones and gaming
Breaches will still occur. Even though tech giants
procedures, there will never be an easy solution to
consoles, have already implemented some biometrics.
security. It’s still up to you, our Human Firewall,
App designers are utilizing fingerprint readers for
to maintain smart, security aware practices. And
login credentials. Gaming consoles are using facial
always follow policy. If you’re not sure, ask!
recognition to unlock accounts. Some credit card companies have apps allowing you to scan your face or fingerprint to
MINED YOUR DATA Your data can and will be used against you. The more information you make public, the easier it is to mine your social media profiles for data that can lead to cracking your passwords or data that can expose you to password cracking or spear phishing attacks against you and your family. In the criminal underground, data mining public information is called pharming, gathering up and sowing as much data as they can. Take this example from a few years ago: a high-profile public figure in Hong Kong hired an information security company to see if they could crack his passwords. The company turned to Facebook: “We found out through Facebook who his wife was… We found out through her likes—her public likes—that she ran a pilates studio. We could then send a phishing email to her based around the fact that she ran a pilates studio that was hiring.” The spear phishing attack worked. She opened an
email from a job candidate that contained a malicious attachment, and gave the security experts access to her entire computer. Facebook has since updated their policies and has removed Graph Search, which allowed users to search through all of the data Facebook has acquired from its billion users. This example shows how easy it is to exploit the information we share. And even though Graph Search is no longer active, there is still a long list of free data mining tools available for the bad guys to exploit. In fact, you might be surprised to learn how data mining is being utilized by major corporations to track consumer trends. Hospitals, for example, are hiring companies to mine consumer purchases in an effort to predict who might get sick. Major corporations, credit cards and social media sites are using data mining to analyze trends of users, often in hopes of gaining a competitive edge.
While it’s not illegal and, in some cases, is potentially useful for public safety (tracking terrorists and other criminal activities), data mining does bring up the question of security. You can avoid becoming a victim by following a few common sense steps:
Keep your accounts private. Unless you use social media for your brand or business, there is no reason to have a public account. Strangers don’t need to have access to your conversations and photos.
Only connect with people you know and trust in real life. If you don’t know or recognize the person that sent you a request, don’t friend or add them to your circle without verifying who they are.
Limit the amount of information you make public, even if your account is private. Things like date of birth, place of birth, phone numbers and email addresses can be used by criminals to steal your identity.
Always be skeptical of shared links, friend requests and instant messages to stay safe. Does it sound too good to be true? It probably is. Use caution and use common sense!
Stay informed of the security preferences of every network you join. These settings change over time. Routinely review what is being shared and what is kept private.
Protect your accounts with strong passwords (unique for every site!) and change them often. Remember: always check policy before signing into a social network at work.
HEADLINE NEWS EU General Data Protection Regulation Passes Final Legislative Hurdle
R
The EU’s General Data Protection Regulation (GDPR) is
Reuters @Reuters • May 5 272.3 million stolen accounts from popular email services for sale on Dark Web by Russian hacker reut.rs/1ZnbtXb
official and is slated to take effect in May 2018.
The key rules that will be put in place are: the right to be
forgotten, mandatory data breach notifications and data
protection officers, plus hefty fines for serious breaches. It
PAN
is not without criticism; some believe that despite its good
Palo Alto Networks @ PaloAltoNtwks • May 2 Iranian malware family called Infy has been attacking since 2007 bit.ly/1Weude7
intentions, it has created an unwarranted amount of difficulty for anyone looking to utilize data to grow their business
or civic group. But Justice commissioner Vera Jourová is confident that this was the right path to take, and said in a
statement that the GDPR will foster the trust of consumers
IS
Infosecurity @InfosecurityMag • May 2 Wendy’s in hot seat after hackers stole customers’ card info bit.ly/21EDGuk
S
Symantec @symantec • Apr 25 US prez primary apps gather PII & 50+% are exposing sensitive data symc.ly/1XUXWps
DE
Daily Echo @dailyecho • Apr 22 Large amount of confidential patient PHI found dumped in UK alleyway bit.ly/270mQKi
MK
MacKeeper @MacKeeper • Apr 22 Massive breach of 93.4M Mexican voter records found on US soil bit.ly/1Wh8ikv
and give organizations legal certainty. It will also require non-
EU businesses to rethink their own privacy models if they wish to continue doing business inside the Union. Read the full statement here: http://bit.ly/1V3hmdM.
URGENT: Uninstall QuickTime for Windows Immediately (Unless...) Apple announced that they will no longer provide security
updates for QuickTime on the Windows platform, and have
recommended that users uninstall it ASAP. The lack of future updates drastically increases the possibility of criminal
hackers exploiting newfound vulnerabilities that will remain forever unpatched. In fact, Trend Micro has sent out an alert
that their Zero Day Initiatives have already released advisories for two new, critical vulnerabilities found in the Windows
version of QuickTime. To read more and learn how to uninstall it, go here: http://bit.ly/1NbFnfY.
E.
Endgame • @EndgameInc • Apr 20 New ransomware TeslaCrypt spreads via spam with fake tracking link bit.ly/1U6NFqU
Unfortunately for Adobe customers, they will have to
continue to use QuickTime on Windows because certain
functionalities of the software depend on it. Adobe’s endgoal is to support everything natively without the need for QuickTime, but until then, Windows users are stuck with it. For more info from Adobe, visit: http://adobe.ly/1Znm0Sd.
SL
Securelist @Securelist • Apr 18 Moscow’s “smart traffic systems” have major security flaws that could create chaos if exploited bit.ly/240uCor