Santa Clara University

Information Security Office

News and Events

 
RSS

Information Security News and Events

News, events, views, tips, and hints for keeping your personal information private.

The following postings have been filtered by tag information security. clear filter
  •  Two Layers of Added Security

    Wednesday, Jul. 15, 2015

    To protect your account, passwords are a must. They provide you with added security to keep prying eyes away from your information and data. However, passwords can only do so much to keep your account safe. Passwords are stolen all the time. Doing things such as using the same password for more than one site, clicking on links in emails, or using a weak password can increase your chances of getting your password stolen. 

    (For more information about passwords, please visit: http://www.scu.edu/is/secure/guides/passwords.cfm)

    When someone steals your password, they can lock you out of your account and use it for malicious deeds. If you use the same password for multiple sites, the perpetrator may gain access to all of them. 

    This is where two-factor authentication (2FA) comes in. Most people have one layer (their password) to protect their account. 2FA adds a second level of authentication to an account log-in. If a bad guy hacks through your password level, 2FA makes it harder for him to get into your account. 

    2FA requires users to have 2 out of 3 types of credentials before they can access an account. The types are: 

    • something you know (PIN, password, pattern, etc.)
    • something you physically have (ATM card, security token, phone, text message, etc.)
    • something you are or do (fingerprint, voice, facial recognition, signature, etc.)

    Here is an example of a 2FA login:

    When you log on to your account, you enter your password and your phone gets a text message with a "code" that will give you access to your account. You will need both the password and code for the login process. 

    So what’s all the fuzz about two-factor authentication anyways? Why should I use 2FA? 

    Well, one of the biggest reasons to use 2FA is the added security it gives you. 2FA makes it harder for attackers to hack into your account; instead of trying to bypass one layer of security, the attacker has to bypass two layers. However, this doesn’t mean that 2FA is a sure way to stop people from getting into your accounts. It just improves security with little effort on your part. 

    So does this mean that I can use easier passwords if I use 2FA?

    You have some leeway for using a slightly easier password now that you have an extra layer of security, but I would still highly recommend that you use strong passwords to keep your accounts more secure. 

    Okay, so what are some downsides to 2FA?

    One downside to 2FA is that most people use it on their cellphones. I admit that this is the most convenient method, but if you’re using your phone to enter both a password and the second layer of security, it becomes less secure. There’s always a risk that your phone could be stolen or that malicious apps might attempt to steal your stored passwords. Nowadays, a typical cellphone contains everything but the physical keys to your door.

    The other downside is that 2FA can be a hassle. It takes a moment to setup, but when you want to login in, 2FA requires that you have access to the thing that you are using for 2FA. This is also why more and more people are using their smartphones as the token. 

    Some sites that allows for two-factor authentication:

    • Facebook
    • Gmail
    • Twitter
    • LinkedIn

    Now that you know a little more about two-factor authentication, the ball is in your court. Some people chose to use 2FA, while others opt not to. What will you do?

     

  •  Password Managers

    Wednesday, May. 27, 2015
    lock computer
    PASSWORD MANAGERS*
     
    What is a Password Manager Tool?
    A password manager tool is software that helps users to encrypt, store, and manage passwords.  The tool also helps users to create secure passwords and automatically log into websites.
     
    Who Might Use a Password Manager Tool and Why?
    People should use unique passwords for each website or system they login to in order to help minimize the impact from the breach of one website or system.  However, most users cannot remember a separate password for many sites and tend to reuse the same password or write them on sticky notes attached to their computer. Password manager tools allow users to more securely manage many distinct passwords and automatically log them into websites.
     
    Benefits to Using a Password Manager Tool
    Password manager tools enable users to create and securely maintain unique passwords for websites and other systems without having to memorize or write down passwords.
     
    Risks to Consider When Using a Password Manager Tool
    Special care should be taken to secure the password tool since it will grant access to all passwords.  The “master” password that grants access to the tool should be a very strong, complex, and unique password; use multifactor authentication if possible.  Additional considerations should be made about whether you want your password management tool to store the passwords locally or in the cloud.
     
    List of Technology/Tools That a User Might Consider
    Below are three popular password manager tools that an end user might consider for use.  Users should evaluate which tool works best for their own unique purposes.  The Information Security Office does not recommend the use of a particular tool. End users employ these tools at their own risk.
     
    LastPass (https://lastpass.com/) is easy to use, supports most popular browsers and mobile devices, offers multifactor authentication options for the master password, notifications for hacked sites, does not share the encryption key with LastPass, provides a password strength indicator, and performs additional password tests like ensuring that you’re not using the same password across multiple sites.  However, the ease of use requires that the password database be stored in the cloud. Additionally, as a web-based tool, your password database is available to anyone in the world with an Internet connection and your master password. For this reason, it is strongly recommended that you use multifactor authentication. 
     
    KeePass (http://keepass.info/ and http://www.keepassx.org) does not share encryption keys with KeePass, provides a password strength indicator, and the password database is not stored in the cloud.  Ease of use across multiple devices is a little more complex as the user needs to maintain access to their private password database manually.
     
    1Password (https://agilebits.com/onepassword) does not share encryption keys with 1Password, provides a password strength indicator, and the password database can be stored in Apple’s iCloud, DropBox or locally on personal devices.  Ease of use across multiple devices is easy if stored in the cloud, but more secure if stored locally.  The iOS version can be configured to support Touch ID on compatible devices.
     
    Higher Education Reference Pages
     
    Boston University 
     
    Indiana University 
     
    Pepperdine University
     
    Purdue University
     
    University of Illinois at Urbana-Champaign
     
    Adapted with permission from EDUCAUSE and the Higher Education Information Security Council
    *not written by the author
  •  Be Wary of Telephone Scams

    Wednesday, Apr. 29, 2015

    Not only do cyber criminals send you fradulent (phishing) email messages and set up fake websites, they also may call you on the phone. Often times, they will offer to help solve your (nonexistent) computer problems or sell you a software license. The most common type of phone scams is tech support scams. Cyber criminals can be very persuasive in getting you to trust them. They might know your name and other personal information, usually gained from public phone directories or even through research. They might even guess what operating system you're using. After they have gained your trust, they might ask for your username and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable. 

    Once they have access to your computer, they will be able to do the following things:

    • Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
    • Take control of your computer remotely and adjust settings to leave your computer vulnerable.
    • Request credit card information so they can bill you for phony services.
    • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.

    So how can I protect myself from phone tech support scams?

    • If you feel that you have received a fraudulent phone call :
    • Do not purchase any software or services.
    • Ask if there is a fee or subscription associated with the "service." If there is, hang up.
    • Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer
    • Take the caller's information down and immediately report it to your local authorities.
    • Never provide your credit card or financial information.

    More information

    http://scu.edu/is/secure/blog/index.cfm?c=19636 

     

  •  Encrypt Zip Files

    Friday, Feb. 20, 2015
    7zip logo

    Need to encrypt your files, but don't have the software to do it? LOOK NO FURTHER! I am here to show you how to encrypt your files! 

    If you are Mac user, please follow this link (click here) to encrypt your files because the software I will be talking about is for Window users. Alternatively, you can download Keka, which is a free file archiver for Mac OS X, here. Instructions on how to use Keka can be found here.

    If you are a Window user, please keep reading. If you use Linux, you can google it or click here: (option 1) or (option 2)

    Let's get started. The software that I will be talking about is called 7-Zip.

    7-Zip is an open source software used to compress or zip files secured with encryption. Alternatively, you can also use WinZip (click here for WinZip). To download 7-Zip, click here

    After the software as been installed, you can proceed to encrypt a file or folder:

    STEP 1:

    Right click on the file/folder to be encrypted. 

    Select "7-Zip" and then "Add to archive"

    STEP 2:

    Change the name of the archive you wish to create.

    7zip2a

    STEP 3:

    Change the Archive format to "Zip".

    7zip3a

    STEP 4:

    Change the Encryption method to "AES-256". You can also select ZipCrypto, but AES-256 is more secure. However, if AES-256 is selected, the recipient of the zip file may have to install 7-Zip or another zip program to open it. Selecting ZipCrypto allows users to open a zip file in Windows without a zip program. 

    I strongly recommend that you use AES-256 to protect your data. 

    7zip5a

    STEP 5:

    Enter a strong password. Here are some tips on how create a strong password: (option 1) or (option 2).

    7zip5a

    STEP 6:

    Select "OK" to create the encrypted archive file. This file will be located in same file as the original.

    You have encrypted your file! Congratulations! 

    *to open the file, you just need to enter the password

     

     

     

     

     

  •  De-Cloud Your Life

    Wednesday, May. 21, 2014

    The term "the cloud" can be used to refer to the Internet. Marketers have popularized the phrase "in the cloud" to refer to software, platforms, and infrastructure that are sold as a service. Usually, the seller has servers that host products and services from a remote location, so users don't have to. They can just log on to the network without installing anything. These services may be offered in a public, private, or mixed network. Google, Amazon, IBM, Oracle Cloud, Microsoft Azure, and Dropbox are some examples of cloud vendors.  

    Cloud services have expanded as more and more users are using the Internet. Cloud services can be quite useful as a cheap "offsite backup". For example, keeping documents or a list of serial numbers of your things in case of a robbery or catastrophic event, such as an earthquake.

    Let's use Dropbox for an example.

    Dropbox usually requires a username and password to access documents. It even offers a two-factor solution as an option. However, a user can allow others to view a document by sending them a "secret link". But links can be easily leaked. As users rely more on cloud services to share files, with passwords that are too troublesome to set up, leaked links will become more commonplace. 

    Let's assume that the cloud service works as designed and your username and password is strong enough. But when you share files with other people, you run the risk of others not taking extra care with the files as you would. Their passwords could be weaker than yours or they could share the link onto the Internet.  

    Although cloud services are good, there are just some information that you shouldn't store into the cloud, such as confidential, personal, finacial, or medical information, unless you encrypt them before uploading. 

    Here are a couple of ways to "de-cloud" your life:

    • Setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.
    • Run your own mail server: This can be a real pain and even large companies move mail services to cloud providers. But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.
    • Offsite backup at a friend's or relative's house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.
    • For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.
Information Security Office, 1-408-554-5554, iso@scu.edu