Wednesday, July 23, 2014
By Josephine Wolff
When I was in college, the main campus library had several computers set up on the first floor for public use, and invariably, whenever I used one, a previous user had not logged out of her Gmail account. So when I tried to load my account, I would instead find myself staring at the entire contents of someone else's inbox. Of course, I would then log that person out and sign myself in--but those brief moments when I had complete access to another person's email were terrifying nonetheless. How could people be so careless with something as valuable as their email account? And then, inevitably, after my own session, I would make it halfway across campus and suddenly being worrying that I might have forgotten to log myself out--the same way you might worry you forgot to turn off the stove, or lock the door before leaving your house--and so I would trek back up to the library and check.
I still fear public computers, a terror that was only reinforced by the July 10 advisory that the Secret Service and National Cybersecurity and Communications Integration Center issued about keyloggers on hotel business center machines. The advisory, first reported by security researcher Brian Krebs, was directed at the hospitality industry and warned of cases in which people who had registered at hotels with stolen credit cards downloaded keylogging software onto the computers in the hotels’ business centers.
The software would then capture every keystroke entered on those public machines—including the usernames and passwords entered by unsuspecting hotel guests, as well as the content of any emails or documents they wrote on those machines. The log of these keystrokes would be emailed to the person who had installed the malicious program, providing the hacker with a wealth of data on the business center users. “The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers,” according to the advisory.
This, of course, is a far more serious—and nefarious—threat than college students who forget to log out of their Gmail accounts and thereby give strangers access to their email, but both risks stem from a common problem in computer security: our tendency to treat public computers like personal ones and, more broadly, to ignore the physical dimension of cybersecurity.
Krebs points out that while there are ways that hotels can try to make it more difficult for people to download keyloggers on their computers—by restricting users’ ability to install programs, for instance—there’s a limited amount that can be done to improve the security of public computers, especially if they’re to provide any valuable services to users. Or, as Krebs puts it, “if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer.”
Basic safeguards are still worth taking, if only to restrict the set of potential perpetrators to “skilled attackers.” The advisory noted:
It doesn’t take much skill to find keylogging software online and install it on a public machine. You don’t need to know how computers work, you don’t need to be an expert coder, you just need to be dishonest—and have access to a computer that other people use. This is data theft at its easiest—and perhaps also at its easiest to overlook.
The good news about the physical security elements of cybersecurity threats is that, just as they are relatively easy for nontechnical people to exploit, they are also fairly straightforward for other nontechnical people to defend against. Essentially, you want to make it as difficult as possible for anyone who is not you to ever use your private computer, and you should only use public ones under the assumption that anything you do on them may be captured or accessible to others. Just as you might take basic hygiene steps to avoid germs and bacteria in public bathrooms (oron public keyboards), some simple cyber hygiene measures can help you ward against the digital diseases carried by the outside world. This means always—always, always—locking your computer whenever you walk away from it, not letting other people use it, and not checking your primary email account or bank account—or doing anything else potentially sensitive—in a hotel business center or on any other public computer.
This certainly won’t protect against all cybersecurity threats—it won’t even protect against all of the problems posed by hotel networks, which can be used to install malware on personal computers, or even public computers—my sophomore year, those same computers in the main campus library that I occasionally (and foolishly) used to check my email were used to send anonymous death threats via email. But at the very least, these sorts of measures will help weed some of the less technically talented from the field of would-be cybercriminals and allow us to continue studying and learning about the novel nature of these digital threats without losing sight of the ways in which they are not entirely new. Cybersecurity and physical security are closely related—increasingly so, as more physical objects are connected to online infrastructure in various ways—and even as computer networks pose some new security challenges, they can still benefit from applying some of the older lessons of physical security.
Monday, June 9, 2014
Disposing of Your Mobile Device
Overview: Mobile devices, such as smartphones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. Unfortunately, too many people simply dispose of their older mobile devices with little thought on just how much personal data their devices have accumulated. In this newsletter we will cover what types of personal information may be on your mobile device and how you can securely wipe it before disposing of it or returning it. If your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below.
For the full newsletter, visit: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201406_en.pdf
Friday, April 11, 2014
April 9, 2014
We compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched.
The Heartbleed bug was serious. Disclosed less than two days ago, the Heartbleed bug has sent sites and services across the Internet into patch mode.
For an in-depth explanation of what exactly Heartbleed is, and what it does, read this post by our own Stephen Shankland. In essence, the bug potentially exposed your username and password on sites like Facebook, Google, Pinterest, and more.
Using Alexa.com, we've been going through the list of the top 100 sites in the US and asking "Have you patched the Heartbleed bug yet?" Once we have an answer, we will fill in the chart below with the response.
While we wait to hear back, we will be testing the sites against the Qualys SSL Server Test. There may be some instances where the patch isn't detected or a server can not be inspected (the site may be fine, but Qualys can not confirm that), in which case we will mark the site as "be on alert." When a site is marked as such, you should proceed with caution and contact the site or company directly if you have any questions pertaining to your account security.
You may notice some companies will be marked as "was not vulnerable." In that case, the site in question does not use the type of OpenSSL encryption this bug was based on and your data was never at risk.
If you're checking back after seeing earlier versions of this story, you may also notice that some statuses have changed. For instance, the status for Microsoft, MSN, and Live has been updated to "was not vulnerable" once Microsoft confirmed that to be the case.
Monday, April 7, 2014
Wednesday, March 19, 2014
1-800-PRI-VACY: Student data privacy has been a hot topic for both concerned educators and vendors. But instead of worrying, why not just call the U.S. Department of Education's private data hotline? PTAC (the DOE's Privacy Technical Assistance Center) has a toll-free phone number where education stakeholders can ask "questions on privacy, confidentiality, and data security"--24 hours a day, seven days a week.
According to the Department of Edtech Head Richard Culatta, the hotline is available for both "schools and developers" to get whatever information they need on security practices--no matter how specific or extreme. The trend tends toward schools, however, according to DOE press rep Dave Thomas:
"The vast majority of the questions on the PTAC hotline come from school/district administrators and state officials in both K-12 and higher education. The questions generally relate to student privacy, and vary widely. Just a few topics we've covered recently include questions about whether data can be shared under FERPA in various contexts, advice on how to store and transmit data securely, advice on protecting privacy in public data tables, and questions about school contracting."
Friday, March 7, 2014
by Taylor Casti
A new phishing scam targeting Netflix subscribers preys on our blind trust of customer service representatives when it comes to our information.
Users being targeted by the scam will see a phony webpage modeled after the Netflix login page. When a user enters Netflix account info, the scam site claims that the user's Netflix account has been suspended due to "unusual activity" and then provides a fake customer service number. When the user calls that number, a representative on the phone recommends a download of "Netflix support software" which is actually remote login software that gives the scammers complete access to your computer. The scammers may also ask for copies of photo IDs or credit cards.
Jerome Segura of Malwarebytes Unpacked first noticed the scam on Feb. 28 and made a handy video to protect customers from falling for it. He told The Huffington Post that users might stumble across the fake site via a link in phishing email, pop-up window, or ad.
Segura says that while he was on the phone with the "rogue representatives," they were busy searching his computer for things like banking information or lists of passwords.
There are plenty of red flags here to warn customers that something is awry, but for those who are too trusting of the voice on the other end of the customer service line, check out Segura's video for highlights from the call.
A good rule to remember is not to be too trusting when it comes to giving out personal information. Avoid letting someone remotely control your computer, don't send pictures of your ID or credit cards over the Internet and be sure to double check URLs in the address bar of your browser. Also, anyone can look up the real Netflix customer service number and see that it doesn't match the scammers' number.
Happy streaming, and stay safe out there.
Thursday, February 6, 2014
Friday, February 14, 2014
Atkins-Holman Student Commons
Admit it: you don't really read the endless terms and conditions connected to every website you visit, phone call you make, or app you download. But every day, billion-dollar corporations are learning more about your interests, your friends and family, your finances, and your secrets, and they're not only selling the information to the highest bidder, but also sharing it with the government. And you agreed to all of it. This disquieting expose demonstrates how every one of us is incrementally opting-in to a real time surveillance state, click-by-click--and what, if anything, you can do about it.