OUCH! June 2014: Disposing of your Mobile Device

OUCH! June 2014: The Monthly Security Awareness Newsletter for Computer Users

Disposing of Your Mobile Device
Overview: Mobile devices, such as smartphones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. Unfortunately, too many people simply dispose of their older mobile devices with little thought on just how much personal data their devices have accumulated. In this newsletter we will cover what types of personal information may be on your mobile device and how you can securely wipe it before disposing of it or returning it. If your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below.

For the full newsletter, visit: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201406_en.pdf 

Heartbleed bug: Check which sites have been patched

by Jason Cipriani
April 9, 2014

We compiled a list of the top 100 sites across the Web, and checked to see if the Heartbleed bug was patched.

The Heartbleed bug was serious. Disclosed less than two days ago, the Heartbleed bug has sent sites and services across the Internet into patch mode.

For an in-depth explanation of what exactly Heartbleed is, and what it does, read this post by our own Stephen Shankland. In essence, the bug potentially exposed your username and password on sites like Facebook, Google, Pinterest, and more.

Using Alexa.com, we've been going through the list of the top 100 sites in the US and asking "Have you patched the Heartbleed bug yet?" Once we have an answer, we will fill in the chart below with the response.

While we wait to hear back, we will be testing the sites against the Qualys SSL Server Test. There may be some instances where the patch isn't detected or a server can not be inspected (the site may be fine, but Qualys can not confirm that), in which case we will mark the site as "be on alert." When a site is marked as such, you should proceed with caution and contact the site or company directly if you have any questions pertaining to your account security.

You may notice some companies will be marked as "was not vulnerable." In that case, the site in question does not use the type of OpenSSL encryption this bug was based on and your data was never at risk.

If you're checking back after seeing earlier versions of this story, you may also notice that some statuses have changed. For instance, the status for Microsoft, MSN, and Live has been updated to "was not vulnerable" once Microsoft confirmed that to be the case.

http://www.cnet.com/news/which-sites-have-patched-the-heartbleed-bug/ 

Happy Earth Day!

Did you know that each person in the United States uses about 749 pounds of paper every year?With tax season coming to a close, do you need to securely dispose of potentially sensitive documents? Please join Technology Services and shred your stuff! Bring your personal documents to Cougar Drive (near the lawn of Banks Hall) to be shredded on-site by New World Recycling and celebrate Earth Day! Thursday, April 24, 2014 from 1:00p-4:00p.

DOE Offers "Student Privacy and Confidentiality" Hotline Service

March 18, 2014

1-800-PRI-VACY: Student data privacy has been a hot topic for both concerned educators and vendors. But instead of worrying, why not just call the U.S. Department of Education's private data hotline? PTAC (the DOE's Privacy Technical Assistance Center) has a toll-free phone number where education stakeholders can ask "questions on privacy, confidentiality, and data security"--24 hours a day, seven days a week.

According to the Department of Edtech Head Richard Culatta, the hotline is available for both "schools and developers" to get whatever information they need on security practices--no matter how specific or extreme. The trend tends toward schools, however, according to DOE press rep Dave Thomas:
"The vast majority of the questions on the PTAC hotline come from school/district administrators and state officials in both K-12 and higher education. The questions generally relate to student privacy, and vary widely. Just a few topics we've covered recently include questions about whether data can be shared under FERPA in various contexts, advice on how to store and transmit data securely, advice on protecting privacy in public data tables, and questions about school contracting." 

https://www.edsurge.com/n/2014-03-18-doe-offers-student-privacy-and-confidentiality-hotline-service 

Phishing Scam on Netflix May Trick you with Phony Customer Service Reps

The Huffington Post
by Taylor Casti
Posted 03/07/2014

A new phishing scam targeting Netflix subscribers preys on our blind trust of customer service representatives when it comes to our information.

Users being targeted by the scam will see a phony webpage modeled after the Netflix login page. When a user enters Netflix account info, the scam site claims that the user's Netflix account has been suspended due to "unusual activity" and then provides a fake customer service number. When the user calls that number, a representative on the phone recommends a download of "Netflix support software" which is actually remote login software that gives the scammers complete access to your computer. The scammers may also ask for copies of photo IDs or credit cards.

Jerome Segura of Malwarebytes Unpacked first noticed the scam on Feb. 28 and made a handy video to protect customers from falling for it. He told The Huffington Post that users might stumble across the fake site via a link in phishing email, pop-up window, or ad.

Segura says that while he was on the phone with the "rogue representatives," they were busy searching his computer for things like banking information or lists of passwords.

There are plenty of red flags here to warn customers that something is awry, but for those who are too trusting of the voice on the other end of the customer service line, check out Segura's video for highlights from the call.

A good rule to remember is not to be too trusting when it comes to giving out personal information. Avoid letting someone remotely control your computer, don't send pictures of your ID or credit cards over the Internet and be sure to double check URLs in the address bar of your browser. Also, anyone can look up the real Netflix customer service number and see that it doesn't match the scammers' number.

Happy streaming, and stay safe out there.

Documentary Screening: Terms and Conditions May Apply

Please join Technology Services for a screening of the critically acclaimed data privacy documentary Terms and Conditions May Apply.

Friday, February 14, 2014
11:30a-1:00p
Atkins-Holman Student Commons

Admit it: you don't really read the endless terms and conditions connected to every website you visit, phone call you make, or app you download. But every day, billion-dollar corporations are learning more about your interests, your friends and family, your finances, and your secrets, and they're not only selling the information to the highest bidder, but also sharing it with the government. And you agreed to all of it. This disquieting expose demonstrates how every one of us is incrementally opting-in to a real time surveillance state, click-by-click--and what, if anything, you can do about it.

Data Privacy Day--January 28th

The weakest link in data privacy is, well, you
by Frank Catalano

Happy Data Privacy Day! The first round of credit card numbers is on me!

Yes, this is Tuesday, Jan. 28 really is Data Privacy Day in the U.S. and Canada, commemorating the 1981 signing of Convention 108, an international treaty dealing with privacy and data protection. (In Europe, where it originated, it's known as Data Protection Day.)

Safeguarding one's personal data may seem Sisyphusian in the wake of enterprise-level consumer breaches like those recently at Target and Neiman Marcus. But if you, like me, are concerned, I’ve found it helps to unpack the concept of good personal data hygiene into three elements, each with increasing levels of individual control.

After all, to paraphrase and extend Joseph Heller’s Catch-22 observation, if everyone truly is after your personal information, paranoia is just a good strategy. (No matter how much one might whine about password problems.)

Allow me to over-simplify.

1) Security. This is how well-protected the data is wherever it is stored, largely a technology issue. You, personally (unless you work for the NSA), pretty much are SOL on this, unless you understand data transfer protocols, encryption standards, authentication methods, and can direct which of each is used by an organization that holds your personal information.

Forrester Research recently weighed in on the authentication (that is, proving to the system that you are who you say you are, and that you have the right to get in) part in a dizzying-yet-compact report, “Employee and Customer Authentication Solutions,” that bluntly states, “Current user authentication methods are failing organizations badly.” Rather than concluding that entropy will win, it hopefully points to a “massive third generation of innovation” including the rise of smart mobile device methods, and the concept of “responsive design” for authentication that takes into account how someone is accessing the system, any contextual clues as to legitimacy, and overall risk.

It’s somewhat like how TSA determines a traveler is qualified for an expedited security PreCheck, but without the full-body-massage fallback.

2) Privacy. This is less about technical protection, and more about what can be done with the data and how selectively it’s shared, turning it from a technology to a policy matter. And “policy” means groups of sadly fallible humans making rules, whether they’re expressed as government regulations, vendor contracts or Facebook’s ever-morphing terms of use.

Individuals have – and want – more influence here. Nonprofit Common Sense Media this month released a national survey that shows, for example, 90% of U.S. adults are concerned about how “non-educational interests” might be able to get to and use personal information about students. Whether those “interests” actually could get or use it (or even want to) is a separate but equally important matter. Still, another study done by Fordham University notes that a “sizeable plurality” of school districts using web-based services for student data had contract gaps, such as missing privacy policies. (Interestingly, Microsoft helped underwrite this study.) Not to mention that kids interact with consumer sites and apps outside of a school environment.

Apparently a few parents and school administrators may need to study up on tech, or perhaps contract law. As might anyone who relies on another party to store personal information, to make sure assumptions are backed up by documented assurances.

3) Practice. The third element effectively is a mash-up of the first two: how well they are implemented under real-world conditions. And here is where the individual is in the most control and, if recent reports on self-inflicted injuries are any indication, is the most screwed.

A summary of the 2013 IT Risk/Reward Barometer from ISACA (an association of information security professionals) finds that while nine out of ten of us worry that our information will be stolen, half of us use the same two or three passwords across multiple accounts and websites.

While it’s true that many sites don’t make remembering strong passwords easy due to maddening inconsistencies across sites and even across platforms used for a single account, there is no excuse for using, say, what security firm SplashData called the Worst Password of 2013 (123456) or any of the runners-up (password, 12345678, qwerty). These are actual user passwords revealed as the results of data breaches. You know who you are.

It’s similar to how some website administrators never changed the default webserver login from “admin,” and then wondered why their sites were hacked. That happened, too.

So is there any hope that developments in security can help address practice, the weakest individual human link in personal data safety? Especially since we are, by nature, lazy and easily bump up against what we consider tolerable demands on convenience and memory?

“When technology arises that offers direct privacy and security benefits that individuals value, along with removing user experience friction in achieving it, then we’ll see uptake,” observes Eve Maler, who, as principal analyst for security and risk, co-authored the recent Forrester Research report. Responsive design in authentication is one reason for optimism: “The whole goal is inconveniencing the good guys the least, and the bad guys the most,” she says.

Some of those technologies will include our current BFFs, smartphones (such as approaches like PassQi’s, which uses iPhones, QR codes and bookmarklets to authenticate us with sites we choose – and gently advises us to avoid bad or duplicated site passwords). Just remember to also lock said smartphone’s screen, too, with a thumbprint or PIN.

But personal information is not safeguarded in isolation. Rock-solid technology and vigilant practice fails when confronted with a leaky policy for privacy. If you don’t address all three, you’re not really addressing it at all.

Or, to paraphrase another great literary figure, Pogo: We have met the enemy when it comes to personal data safeguards. And he is us.

Data Privacy Month

Data Privacy Month (DPM) is an annual effort to empower people to protect their privacy and control their digital footprint, as well as escalate the protection of privacy and data as everyone's priority. Data Privacy Month will be celebrated in 2014 starting with Data Privacy day on January 28 and running through February 28. Spend the month helping to ensure your campus community is respecting privacy, safeguarding data, and enabling trust.

Data flows freely in today's online world. Everyone--from home computer users to multinational corporations--needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it. Being a good online citizen means practicing conscientious data stewardship. Data Privacy Day (January 28th) is an effort to empower and educate people to protect their privacy, control their digital footprint, and  make the protection of privacy and data a great priority in their lives.

Data Privacy Day is led by the National Cyber Security Alliance, a nonprofit, public-private partnership dedicated to cybersecurity education and awareness, and advised by a distinguished advisory committee of privacy professionals.

http://www.staysafeonline.org/data-privacy-day/about/ 

Securing your Home Network

Home networks were relatively simple years ago, perhaps nothing more than a wireless access point and computer or two used to surf the internet or play games online. However, home networks have become increasingly complex. Not only are we connecting more devices to our home networks, but we are doing more things with them. In the January 2014 edition of SANS monthly security awareness newsletter for computer users, OUCH, SANS offers some basic steps for creating a more secure home network.

To view the full newsletter, click here: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201401_en.pdf .

Hackers hijacking free Wi-Fi, especially at airports

Better Business Bureau
Posted: Tuesday, November 26, 2013 9:15 a.m.

Everywhere you look these days, you see people using their electronic gadgets: smartphones, tablets, gaming systems, and e-readers. Most of these gadgets require Wi-Fi to access the Internet or the gadget itself is a Wi-Fi hotspot. May airports and other public spaces offer Wi-Fi for the public to log onto the internet from their laptop computers.

"Hackers are now taking advantage of travelers who want to stay connected," said BBB President Tom Bartholomy. "They are setting up fake Wi-Fi connections designed to steal your personal information without you even knowing it."

How it works:

Although hackers have set up fake Wi-Fi connections in many locations, airports are a favorite hot spot. When searching for connections, consumers may see a network connection available that could simply be named "Free Wi-Fi."

Unfortunately, the network may actually be an ad-hoc network, or a peer-to-peer connection. The user will be able to surf the internet, but they are doing it through a hacker's computer.

"While the user is online, the hacker is stealing information like passwords, credit card and bank account numbers, and social security numbers from the user's laptop computers," said Bartholomy. "Airports across the nation continue to report Wi-Fi security issues."

The BBB offers the following advice for travelers using Wi-Fi hotspots:

• Connect securely. Never connect to an unfamiliar wireless network--even if the name sounds genuine. A hacker can change the name of his network to anything he wants, including the name of the legitimate Internet connection offered by the airport.
• Disable automatic connections. Make sure that your computer is not set up to automatically connect to any wireless networks in your range. Otherwise, your computer could automatically connect to the hacker's network without your knowledge.
• Turn off file sharing when you are on the road to prevent hackers from stealing sensitive data from your computer. Turn off the Wi-Fi hotspot on your device so others cannot sign in to your network. 
• Create a Virtual Private Network (VPN). A VPN establishs a private network across the public network which prevents a hacker from intercepting your data. If your mobile device has a Wi-Fi hotspot feature, you definitely need a VPN to prevent other people from accessing the internet via your mobile device.

For more information, please visit BBB or cal 1-877-317-7236 toll free in N.C. and S.C.

http://www.salisburypost.com/article/20131126/SP01/131129767/

Target confirms massive credit-card data breach

Melanie Eversley and Kim Hjelmgaard, USA Today
8:29am EST December 19, 2013

Target says that its stores have been hit by a  major credit-card attack involving up to 40 million accounts.

Chief Executive Officer Greg Steinhafel confirmed Thursday morning earlier reports that a brazen data breach had taken place. In a statement, Steinhafel said "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue."

The retailer said that the unlawful access to customer information took place between November 27 and December 15.

Earlier, the Secret Service confirmed to USA TODAY that it is investigating the massive data violation involving shoppers' personal credit-card information.

The Secret Service will confirm it is investigating the incident at Target," spokesman Brian Leary said in telephone interview Wednesday night. "We don't have any further comment because its an ongoing investigation."

The breach began around Black Friday, the day after Thanksgiving and the busiest shopping day of the year.

The breach involves the theft of information stored on the magnetic stripe on the backs of cards used at nearly all of Target's stores around the country, according to the Krebs on Security website, who first reported the news.

KrebsOnSecurity.com is the website of Brian Krebs, a national computer security expert and former Washington Post reporter.

Target is based in Minneapolis and has almost 1,800 stores in the United States and 124 in Canada, according to its website.

James Issokson, vice president of MasterCard communications, said in an email to USA TODAY that a question regarding the potential breach "at this point is best directed to Target."

An expert with a global firm that helps companies respond to and mitigate breaches said while he could not address the Target situation specifically, many companies--large and small--are typically under-prepared when they face a breach.

Most important is that the potential breach be addressed quickly, to help get information out to those affected and to regulators, to bring in the right experts to address the breach (such as forensic experts who can stop cyber attacks) and to help preserve the public's trust in the company, said Mike Donovan, Global Focus Group Leader for Beazley Breach Response, headquartered in London.

"We see breaches across all sizes of companies," said Donovan, who is based in San Francisco. "You see the stories about the big ones in the news, but breaches are affecting companies all across the board."

Beazley recently responded to its 1000th breach and the company has seen a "significant number" of large breaches in the last four or five years, Donovan said.

It happens all the time, every day, with retailers, health care organizations, schools, and other operations, he said.

"Any company that handles personal data is vulnerable," Donovan said.

The potential breach does not appear to involve online purchases, Krebs reports. It appears the type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines, according to Krebs.

Visa did not respond to emails or telephone messages left with its corporate office.