Happy Cyber Security Awareness Month 2017!

 

Oct. 1 begins National Cybersecurity Awareness Month (CSAM). This is an initiative that was co-founded by the National Cyber Security Alliance and the U.S. Department of Homeland Security. Now in its fourteenth year, this month of watchfulness stretches to countries around the world under the auspices of CSAM. As we move into the month, I want to remind the Warrior community that we are all responsible for our own cyber security. The core message of CSAM is that the, “internet is a shared resource and securing it is our shared global responsibility.”

In order to encourage everyone to take Cyber Security into their own hands, the NCSA has initiated an awareness and education campaign for online safety and protecting your personal information. It is called: STOP. THINK. CONNECT.™ The great thing is that people are in no way being told that the internet is so dangerous that we shouldn’t use it. The campaign is just stating that we all need to stop to think about the consequences of our actions and then enjoy all the benefits the internet has to offer.

The National Cybersecurity Alliance has some pointers I’d like to offer you so that you can remain #cyberaware:

  1. Lock down your login: A password and a username is not really enough to protect your important accounts. Use stronger authentication tools (security keys, biometrics, etc.) whenever possible. Two-step authentication can be your best friend when you want to keep your info safe. (Find info about two-step authentication at Wayne State at kb.wayne.edu/160520.)
  2. Keep a clean machine: Make certain that all software and apps on your mobile devices and computers are up to date. This makes certain that security updates are working in your favor.
  3. When in doubt, throw it out: If you receive an email, tweet or posting that has a link and you do not recognize it, just delete it or mark it as junk.
  4. Back it up: Protect all your digital information by keeping copies in a safe place. You do not want to lose your valuable data if something should happen to one of your devices.
  5. Own your online presence: Make certain that you are comfortable with your privacy and security settings for websites. The site’s default may tell people more about you than you realize. Check your privacy settings.
  6. Share with care: Think before you post anything about yourself or other people online. What is revealed could affect you or your friends and family more than you initially think.
  7. Personal information is like money. Value it. Protect it: Your interests, location, purchase history, etc. is valuable to a lot of people. Be mindful of the apps and websites you are using and what they may be collecting about you.

The internet offers a plethora of information and entertainment. While you are online laughing at cat videos, make certain that you are watching out for your privacy and security. Be #cyberaware

Creepy new smartphone surveillance tricks

One of my favorite gadget gossip websites, Engadget, had a post last week from Violet Blue, an internet privacy activist, about a cute new piece of snooping software called SilverPush. (Warning: Violet Blue is an internet privacy activist. But she’s also a porn artist and porn philosopher (!). Also a somewhat radical feminist. Visiting some parts of her own website can be ‘not safe for work’.)

It seems that some phone apps (but it’s not clear which ones) activate your smartphone’s microphone, and listen for signals being sent from your TV or computer. When it hears that signal (it’s not clear whether the signal is inaudible or masked in other noise) it sends a bunch of information about you to the advertiser you are listening to on your TV or computer.

What happens next is that your phone, or another computer you are logged into, or a tablet or whatever, will serve you up ads based on the signal that was sent to your phone. As Ms Blue puts it

The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.

The result is that your phone is watching you all the time, and making note of which ads you’ve seen so that it can send you more, including being able to text or phone you (one of the pieces of information that it ‘shares’ is your cellphone number).

Apparently the Federal Trade Commission was a little creeped out by this too, and told them to start warning people they were doing this. Apps that use SilverPush apparently include some Samsung apps and Candy Crush. They claim that no US companies are using their service, but some have questioned that, since the list of companies they contract with is a secret.

Here’s another, perhaps a little less panicked view. Still, I’d recommend that when you install a new app, and it asks whether you want it to use the microphone, you might want to say ‘no’.

Interestingly, the Neilsen company (the ones who track who’s watching which TV shows) uses a similar technology, but on a much more open and aboveboard basis. They ask their raters to wear a ‘pager’ that also listens to the TV or radio for subsonic tones identifying which program is on. But of course, Neilsen contracts with the people wearing the pager, and pays them to do so.

For more general musing on the state of privacy with respect to the data that companies collect about us, you can watch this rather long, but entertaining talk by Bruce Schneier at a recent Cato Institute Conference on Surveillance.

Tomorrow I’ll post a blog on how to check to see if your smartphone is using your camera or microphone for things you might not know about.

Help us help you–participate in the ECAR survey

Many WSU faculty (50% of them, to be precise) have been receiving requests to take part in a national survey of faculty attitudes towards technology at the university. The survey is being run by Educause, the national educational IT organization. This is the second year this survey has been run, and last year’s survey produced some interesting results about faculty interests and desires around everything computing-related.

Last year’s results, which are available in ‘infographic’ format here:

http://net.educause.edu/ir/library/pdf/ers1407/eig1407.pdf

Some relevant findings from last year:

  • Nationally, fewer than fifty percent of faculty are satisfied with IT support for research.
  • Opinions on the use of smartphones in class are mixed, with about half of faculty banning or discouraging them and only a third encouraging or requiring laptops (I myself don’t see how I could ban smartphones, and I’ve taught classes where laptops were required because we were all learning how to use some online tool).
  • Many faculty feel they could be better at using web-based content and online collaboration tools in their courses, but there was less enthusiasm about social media as a teaching tool.

There are two versions of the survey, one that takes about twenty minutes to half an hour, and another that takes only ten minutes. Whichever one you choose, your participation will be greatly appreciated, and will help C&IT plan our investments for the next couple of years.

Look for a reminder and your personalized invitation to join in the survey tomorrow. If you don’t get one, you’ll be asked to participate in a more general survey of IT satisfaction that all other faculty, staff and students will take part in later this semester.

Office 365–Now Free to Our Students

Office Image
From Microsoft’s Office 365 page

Wayne State has signed up for Microsoft’s Student Advantage Program – C&IT now provides free downloads of the latest version of Microsoft Office to all currently registered Wayne State students. This includes full-featured current versions of Word, Excel, PowerPoint, and Outlook for PCs and Macs. PC users also get Access and OneNote. Students will be permitted to download five (5!) copies, which will run on Mac OS X, Windows, and Windows tablets running (real) Windows 8 (not RT).

Although the download process is a little complicated, there are clear instructions, and the Help Desk stands ready to provide assistance. C&IT didn’t forget faculty and staff – keep an eye out for Microsoft-related updates coming your way in the next year. Meanwhile, many folks have access to some version of Office through deals their colleges or departments have made–check with your tech support folks to find out. In some cases you can get a complete downloadable set for your home computer for the relatively low price of $75. The full details on the Student Advantage Program are available at computing.wayne.edu/office – tell your students at your first class. It’s a great deal!

 

How to prevent your heart from bleeding

By now probably everyone has heard about the Heartbleed problem, but just in case you haven’t, here’s a quick summary. One of the programs1 that websites use to communicate securely with customers, called OpenSSL, turns out to have a vulnerability that would let bad guys snoop on traffic to and from those websites even though the data exchanged between them is supposed to be encrypted (as indicated by the icon of a closed padlock in the address bar, and https in the address itself).

The accidentally unlocked ‘door’ has been around for a while, and so there is a chance that your communications with Gmail, Facebook, tumblr and others have been snooped on. There is even a chance that your password has been swiped, and, of course, if you use the same password in various sites, any stolen password will work on all those sites.

What can you do? First of all, all your Wayne State data is safe–the WSU systems were not running OpenSSL, so they are all safe. The Wayne VPN is vulnerable, but the VPN itself was protected from external attacks in another way, so there is no risk there. But, of course, you have passwords on many other sites, and for some of those you should probably consider some password ‘maintenance’. Specifically, you should probably change those once a month for a while. I’ve already changed my Gmail and Dropbox passwords, and am working on several others.

The real takeaway from this event is that you should not reuse passwords from site to site. Of course, that’s easier to say than to do–most of us have dozens, if not hundreds of passwords, so some kind of password management device is becoming more and more necessary. I, myself, use Lastpass, which stores my passwords online (of course I use a unique, complex but rememberable password for that). It not only stores all my passwords, it even suggests complex non-memorable passwords. Since it will automatically fill them in for me I don’t need to remember them. If you don’t like having it fill things in automatically you can invoke it (there’s a plug-in for every popular web browser), display the password and copy it into the relevant website as you log in.

Note that I have no connection with Lastpass, and there are other worthy competitors such as Keepass and Roboform. You can read a review of them here

Lastpass has an interactive form you can use to see whether your favorite websites have been protected. You can find that here.

If you are interested in the technical details on how Heartbleed works you can watch this video , which lasts about 8 minutes. It’s not horribly abstruse–if you kinda know how websites communicate with your computer you can follow it.

Mashable  has a good summary of which websites you need to worry about.

One final thought. NEVER send your password to anyone for any reason through email. And, in fact, if an email tells you to change your password, if you think it actually is authentic, don’t follow a link in the email to change it. Instead, use a bookmark, or type in the web address yourself, so that you know you are changing the password in the right place, and not in a rogue server in Tuvalu.

———-

1 I know that calling it a ‘program’ oversimplifies things, but this characterization will suffice for our purposes.

Net Neutrality Dissed

Some of my fan base may recall that I’ve posted on this topic

here and here and here

On Jan. 14 the US Court of Appeals for Washington DC ruled that the FCC’s Net Neutrality Rules were impermissible, because the FCC did not have the authority to regulate the Internet. Essentially it ruled that Verizon isn’t a ‘telephone company’ (like the old Laugh-In skit where Lily Tomlin said: ‘you’re dealing with the Telephone Company’)

Instead, the judge ruled that Verizon is an ISP (an internet service provider) and therefore not a ‘common carrier’, so the FCC lacks jurisdiction.

Naturally many people have concluded that the end is nigh, and that poor people won’t be able to afford the Internet. Or that Comcast won’t let you get to Google. Or Apple. Or maybe Apple won’t let you get to Google. Of course, prior to the FCC trying to regulate in this way nobody could find an instance of where this actually happened. So I’m not horrified. YMMV.

News reports available here:

New York Times

Ziff Davis Net

Information Week

More ways to protect your smartphone

Last Monday I suggested ways to prevent thieves from getting in to your phone if it is stolen, Today I’ll talk about some more tricks you can use to keep your life private.

If you have an iPhone you can find it, and remotely wipe it (that is, remove all user-installed data). Formerly you needed to install an app called Find My Phone, but now you go to Settings, then tap iCloud. (Note that these instructions apply also to iPads) Here are the rest of the instructions from Apple’s site:

  1. If you’re asked to sign in, enter your Apple ID, or if you don’t have one, tap Get a Free Apple ID, then follow the instructions.
  2. Tap to turn on Find My iPhone (or Find My iPad or Find My iPod), and when asked to confirm, tap Allow.

Once you’ve got it set up, you can go to Apple’s Find website and then sign in with your AppleID. If the phone is turned on (and not in Airplane mode) a green dot will appear on the map (here’s what mine looks like as I write this:

Find my phone

 

If you want to erase it, instructions are on this web page. Note that if you click on My Devices and then on the relevant phone (or iPad, for that matter) you can make it play a sound (in case it’s in your house and you’ve lost it) or erase it, but once you do that it won’t have Find my phone on it either.

Finally, be sure you have the latest version of the operating system on your phone: 7.0.3. If you don’t have at least 7.0.2 someone could turn off Find my phone without getting past the lock screen (which, you’ll recall, you set after reading my last blog 🙂 )

Remember, these instructions work for iPads as well, because they use the same operating system.

The instructions for Androids are somewhat more complex (due, in part, to the fact that there is no uniform implementation of the Droid operating system–please no brickbats..), and instructions on remote wiping of those devices will have to wait for a later blog.

More on the sad Aaron Swartz Case

After Aaron Swartz committed suicide a few months ago the uproar led MIT to commission an internal inquiry. It released its findings a couple of days ago (in and around the controversy swirling around the NSA and its various programs). While they conclude that MIT didn’t actually do anything wrong, they suggest that they might have acted differently:

http://chronicle.com/article/In-Swartz-Case-World-Didnt/

http://www.cnn.com/2013/07/30/tech/web/mit-report-swartz

http://www.ecampusnews.com/policy/legislation/mit-releases-report-on-aaron-swartz-case-finds-no-wrongdoing-on-its-part/

Larry Lessig suggests that MIT is ducking its actual responsibilities:

http://www.lessig.org/2013/07/the-mit-report-on-aaronsw/

JSTOR (the source of the data that Swartz was downloading and ‘freeing’ also had a statement:

http://chronicle.com/blogs/wiredcampus/jstor-releases-documents-and-summary-of-its-role-in-swartz-case/45185?cid=at&utm_source=at&utm_medium=en

A couple of months ago Techdirt discovered that the prosecution of Swartz was likely politically motivated, incidentally:

https://www.techdirt.com/articles/20130223/02284022080/doj-admits-it-had-to-put-aaron-swartz-jail-to-save-face-over-arrest.shtml