Happy National Cybersecurity Awareness Month 2018! Police your Password

It’s October! This means that—along with all those ever-important holidays like “Global Handwashing Day,” “National Feral Cat Day,” and “International Day of the Nacho“—it is National Cybersecurity Awareness Month! Unlike “Sweetest Day” (which I had honestly never heard of until I moved to Michigan), you do not have to buy someone candy to show your affections, you simply need to make certain that you are taking care to protect your online privacy.

As part of NCSAM, I thought that I would talk a bit about something we do not consider much: the password. Many of us realize that they are unavoidable, but consider them a nuisance that has to be worked around in order to do the things we want or need to do.

The average person spends eleven hours connected to the internet every day. From banking to chatting with friends, uploading a paper on Canvas to registering for classes, there is really no limit to the things we do on a daily basis online. Almost every single resource we use—from Facebook to Wayne Connect—is secured with a password. You may choose to better secure yourself using two-factor authentication (which I covered last year for NCSAM) but the first line of defense is always our password.

Sadly, most of the population is really bad at creating passwords. For example, this past week, I happened to watch the first episode of the Murphy Brown reboot, in which Candice Bergen’s character instructs her son to use “password” as the password for a new Twitter account. Amazingly, the IRS was actually discovered to be using “password” for a password for secure systems in 2015.

I find it interesting that we still have lists of worst passwords. In 2017, Time Magazine reported this list of the top ten worst passwords:

  • 123456
  • Password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou

These few statistics point out exactly why we cannot take risks with simple passwords:

  • 10,000 of the most common passwords (such as 12345, qwerty, or 123456) can access 98% of accounts.
  • 90% of passwords generated by users are vulnerable to hacking.
  • The average user has around 26 online profiles or accounts, yet they only use five passwords for all of them.
  • In 2014, five million Gmail passwords were hacked and released online.
  • In 2017, Yahoo admitted that the data breach that had occurred three years earlier reached three million accounts.

So, what is important in creating a password?

  1. Make it unique. Do not use the same password for more than one account. If a hacker gains access to one account, they will have access to every account using that password.
  2. Make it long. Longer passwords are simply more secure. You should be using at least eight characters.
  3. Use a phrase. Using more than one word increases its security. Use a phrase no one else would know.
  4. Vary the characters. Combine uppercase, lowercase, numbers, and special characters in your password. This has become a requirement for many accounts. As an example, using this and the last suggestion, if you wanted to set your password as “happy birthday”, write it as “H@ppyB1r+hD@y.”
  5. Avoid personal information and common words. Do not use information that someone could easily find out. If someone can learn your child’s name and the day they were born from a simple Facebook post, you are not choosing a good password.

With those thoughts, I would highly suggest that you consider using a password manager to create and maintain unique credentials for all of your profiles. A password manager is a type of software that creates, stores, and protects passwords. The best of these services should have an app for your mobile device that works in conjunction with add-ons for your computer’s browsers. This allows you to have your information everywhere you go.

Some of the top password managers are Dashlane, LastPass, and Keeper. Though there are free versions of some of these, they are often limited to the number of passwords they will store or how much you can share a password. Given the cost and hassle that goes along with identity theft, these programs are generally worth the cost. Since most of us have many accounts we are juggling in our lives, we would all be best served by using one.

Good news to remember for NCSAM!  I know how much people complain when our Wayne State accounts require us to change our password.  Because we would want to encourage all of the Wayne State family to use better passwords, C&IT instituted a policy where we will never again ask you to change your password if it meets certain strength requirements.

Have a wonderful National Cyber Security Awareness Month! Celebrate by spending a little time making certain that your information is safe both at home and work.

If you’d like some more tips for creating a secure password, see this excellent infographic from Mike’s Gear Reviews below.

Create Secure Password Infographic

Do you want to be a privacy officer?

After serving as chief privacy officer for the past year and a half, I will be retiring from Wayne State University at the end of the winter semester. We have been given permission to search for a replacement, so I thought I’d use this platform to say a little about what a Privacy Officer does.

The simplest way to describe it is to link to my Educause blog on “A day in the life of a Chief Privacy Officer.”

However, if you’re interested in the tl;dr1 version, allow me to give you the “elevator speech.” Universities, like nearly all other organizations, hold information about any and all people they deal with. For universities this includes data about students, faculty, staff, alumni and visitors. In 2017 it tends to be electronic records, although there are still thousands of pieces of paper with data on them as well.

Some of those records are sensitive. This means that the information could harm the person it refers to if it is released, or that its unauthorized release would subject the university to legal penalties because the data is protected by law. Or both. For example, social security numbers have become toxic (as we say in the privacy world) because those numbers can be used to commit identity theft. Student records such as grades are protected by the federal law known as FERPA and could cost the university embarrassment and money if they are released to unauthorized persons.

The privacy officer’s job is to help the university keep those records safe from inappropriate release by developing policies, by ensuring that employees are trained in how to apply those policies, and by reviewing how new methods of storing data (such as new versions of Banner or Academica) are configured to ensure the data therein is properly locked up.

This means serving on a lot of committees, meeting with administrators and researchers storing sensitive data, and speaking to groups such as the Academic Senate and the Administrative Council. It also means working closely with the Office of General Counsel, Internal Audit, the Associate Provost for Academic Personnel, and serving on the leadership team of C&IT.

If you think you might be interested in learning more about this position, you can find it listed at jobs.wayne.edu under position number 042601.


1 This popular internet acronym stands for ‘too long; didn’t read’. Usually an expression of disapproval.

How to protect yourself against the CIA (or anybody with their files)

By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.

First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks  released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.

But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.

There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:

What you can do

Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.

Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).

For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.

To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.

Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.


1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.

April 15 is coming, and so are the IRS scams

Most Wayne State folks have now received their W2 forms and are probably putting off thinking about submitting their income tax returns, so now is the time to start worrying about all the things that could go wrong.

As most readers will remember, Wayne State was one of a number of universities whose employees were hit with fraudulent returns last year. This happens when someone illegally files in your place, fiddling with the numbers so that they will get a refund. Generally speaking, when this happens you are not on the hook, but it can be a pain in the neck to get it sorted out and it will probably interfere with your filing for several years afterwards, so it’s a good idea to take actions that will reduce the likelihood of being a victim.

There is a limit to what you can do, but I’ve collected all the key safety steps here — the major step you can take is to increase your vigilance online. Do not share your social security number (which means it should never appear in an email or anywhere else other than where it is legally required [such as on your tax return]). And although your bank needs to know it, there is no reason it should appear on any bank website or on any paperwork you receive through the mail from your bank. Of course, it will appear in correspondence with the government (such as a dreaded letter from the IRS or correspondence with the state or city about taxes owed or a happy letter about refunds due).

The most effective positive action you can take is to file as early as possible (although a friend of mine posted on their Facebook page a couple of days ago that someone had already filed in their place). I realize it’s as American as apple pie to put it off till the evening of April 14, but it is a good defensive strategy to file really early.

Additionally, it is extremely important you do not let yourself get phished. Phishing (luring victims in with realistic-looking emails) is the most widely used weapon in identity theft. In fact, we will be doing one (or perhaps more) anti-phishing training sessions over the next couple of weeks. Our Chief Security Officer, Kevin Hayes, and I, your Chief Privacy Officer, have a roadshow we’ll be starting shortly. The first presentation will be on Feb. 10 at 1 p.m. in Bernath Auditorium. We’ll explain how phishing works and what you can do to fight back.

Privacy in the Twenty-First Century

Privacy policy wordcloud

For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.

In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?

Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.

Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).

The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:

http://events.educause.edu/educause-live/webinars/2017/big-data-whats-the-big-deal

Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.

The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.


Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator

Creepy new smartphone surveillance tricks

One of my favorite gadget gossip websites, Engadget, had a post last week from Violet Blue, an internet privacy activist, about a cute new piece of snooping software called SilverPush. (Warning: Violet Blue is an internet privacy activist. But she’s also a porn artist and porn philosopher (!). Also a somewhat radical feminist. Visiting some parts of her own website can be ‘not safe for work’.)

It seems that some phone apps (but it’s not clear which ones) activate your smartphone’s microphone, and listen for signals being sent from your TV or computer. When it hears that signal (it’s not clear whether the signal is inaudible or masked in other noise) it sends a bunch of information about you to the advertiser you are listening to on your TV or computer.

What happens next is that your phone, or another computer you are logged into, or a tablet or whatever, will serve you up ads based on the signal that was sent to your phone. As Ms Blue puts it

The service it delivers to advertisers is to create a complete and accurate up-to-the-minute profile of what you do, what you watch, which sites you visit, all the devices you use and more.

The result is that your phone is watching you all the time, and making note of which ads you’ve seen so that it can send you more, including being able to text or phone you (one of the pieces of information that it ‘shares’ is your cellphone number).

Apparently the Federal Trade Commission was a little creeped out by this too, and told them to start warning people they were doing this. Apps that use SilverPush apparently include some Samsung apps and Candy Crush. They claim that no US companies are using their service, but some have questioned that, since the list of companies they contract with is a secret.

Here’s another, perhaps a little less panicked view. Still, I’d recommend that when you install a new app, and it asks whether you want it to use the microphone, you might want to say ‘no’.

Interestingly, the Neilsen company (the ones who track who’s watching which TV shows) uses a similar technology, but on a much more open and aboveboard basis. They ask their raters to wear a ‘pager’ that also listens to the TV or radio for subsonic tones identifying which program is on. But of course, Neilsen contracts with the people wearing the pager, and pays them to do so.

For more general musing on the state of privacy with respect to the data that companies collect about us, you can watch this rather long, but entertaining talk by Bruce Schneier at a recent Cato Institute Conference on Surveillance.

Tomorrow I’ll post a blog on how to check to see if your smartphone is using your camera or microphone for things you might not know about.

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

The terrorist’s iPhone is probably just a ruse.

Now that it’s getting national play, people have noticed that this isn’t the first time the Government has attempted to get Apple to break their own iPhone security. Months before the San Bernadino attacks they tried a couple of times to get Apple to do the same thing. A  judge for the US District Court refused the same order in a case unrelated to national security in October of last year.

So one could conclude that the government’s purpose here is to wrap itself in the flag because it really doesn’t like the idea of security without back doors. If they win this case, of course, the world will continue to write secure software. Since the number of iPhones in the world is nearly 50 million that’s an enormous market for truly secure smartphones, and if the the US government breaks them I’m sure there will be Chinese, Indian or Finnish companies eager to supply truly secure phones we can use for online banking, shopping at Amazon, remote desktop connections and other totally legitimate reasons to have security without back doors floating around waiting to be exploited.

Amazon and Bestbuy are following me, and it’s creeping me out

BeAwareofWhatsBeingSharedYesterday I needed to find a price for a box of inkjet printer cartridges I have but no longer need (the printer broke and I bought a new one that uses different cartridges). I was trying to sell them.
This morning I visited my favorite political blog site, Reason Magazine’s Hit and Run and guess what showed up on the right hand side of the page–ads for Canon printers and HP inkjet cartridges. How did Hit and Run know?

Of course, they didn’t. But Amazon and Best Buy purchase ad space on lots of web pages, and my IP address is stored in various cookies, so totally unrelated sites know who I am and their ads target me. And what’s worse, one of those searches was on my iPhone, but the ad showed up on my office desktop.

So remember–if you’re searching for something sensitive, use an anonymized browser page (on Firefox select ‘New Private Window’, ‘New incognito window’ in Chrome, or in Safari a ‘Private Window’–these choices are usually available under the File menu, or at the three horizontal lines icon at the top left). Otherwise you may find ads for pregnancy tests or online tests for symptoms of schizophrenia showing up in your USA Today.

Bruce Schneier, my favorite IT security and privacy guru has a great column about how our mobile devices are now talking to our laptops and desktops and vice versa–long but worth a read:

Bruce Schneier on the Internet of Things

If this bothers you, or you are just interested in learning more about the relationship between privacy and Big Data, come hear Sol Bermann on January 26.