Happy National Cybersecurity Awareness Month 2018! Police your Password

It’s October! This means that—along with all those ever-important holidays like “Global Handwashing Day,” “National Feral Cat Day,” and “International Day of the Nacho“—it is National Cybersecurity Awareness Month! Unlike “Sweetest Day” (which I had honestly never heard of until I moved to Michigan), you do not have to buy someone candy to show your affections, you simply need to make certain that you are taking care to protect your online privacy.

As part of NCSAM, I thought that I would talk a bit about something we do not consider much: the password. Many of us realize that they are unavoidable, but consider them a nuisance that has to be worked around in order to do the things we want or need to do.

The average person spends eleven hours connected to the internet every day. From banking to chatting with friends, uploading a paper on Canvas to registering for classes, there is really no limit to the things we do on a daily basis online. Almost every single resource we use—from Facebook to Wayne Connect—is secured with a password. You may choose to better secure yourself using two-factor authentication (which I covered last year for NCSAM) but the first line of defense is always our password.

Sadly, most of the population is really bad at creating passwords. For example, this past week, I happened to watch the first episode of the Murphy Brown reboot, in which Candice Bergen’s character instructs her son to use “password” as the password for a new Twitter account. Amazingly, the IRS was actually discovered to be using “password” for a password for secure systems in 2015.

I find it interesting that we still have lists of worst passwords. In 2017, Time Magazine reported this list of the top ten worst passwords:

  • 123456
  • Password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou

These few statistics point out exactly why we cannot take risks with simple passwords:

  • 10,000 of the most common passwords (such as 12345, qwerty, or 123456) can access 98% of accounts.
  • 90% of passwords generated by users are vulnerable to hacking.
  • The average user has around 26 online profiles or accounts, yet they only use five passwords for all of them.
  • In 2014, five million Gmail passwords were hacked and released online.
  • In 2017, Yahoo admitted that the data breach that had occurred three years earlier reached three million accounts.

So, what is important in creating a password?

  1. Make it unique. Do not use the same password for more than one account. If a hacker gains access to one account, they will have access to every account using that password.
  2. Make it long. Longer passwords are simply more secure. You should be using at least eight characters.
  3. Use a phrase. Using more than one word increases its security. Use a phrase no one else would know.
  4. Vary the characters. Combine uppercase, lowercase, numbers, and special characters in your password. This has become a requirement for many accounts. As an example, using this and the last suggestion, if you wanted to set your password as “happy birthday”, write it as “H@ppyB1r+hD@y.”
  5. Avoid personal information and common words. Do not use information that someone could easily find out. If someone can learn your child’s name and the day they were born from a simple Facebook post, you are not choosing a good password.

With those thoughts, I would highly suggest that you consider using a password manager to create and maintain unique credentials for all of your profiles. A password manager is a type of software that creates, stores, and protects passwords. The best of these services should have an app for your mobile device that works in conjunction with add-ons for your computer’s browsers. This allows you to have your information everywhere you go.

Some of the top password managers are Dashlane, LastPass, and Keeper. Though there are free versions of some of these, they are often limited to the number of passwords they will store or how much you can share a password. Given the cost and hassle that goes along with identity theft, these programs are generally worth the cost. Since most of us have many accounts we are juggling in our lives, we would all be best served by using one.

Good news to remember for NCSAM!  I know how much people complain when our Wayne State accounts require us to change our password.  Because we would want to encourage all of the Wayne State family to use better passwords, C&IT instituted a policy where we will never again ask you to change your password if it meets certain strength requirements.

Have a wonderful National Cyber Security Awareness Month! Celebrate by spending a little time making certain that your information is safe both at home and work.

If you’d like some more tips for creating a secure password, see this excellent infographic from Mike’s Gear Reviews below.

Create Secure Password Infographic

How to protect yourself against the CIA (or anybody with their files)

By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.

First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks  released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.

But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.

There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:

What you can do

Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.

Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).

For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.

To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.

Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.


1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.

Privacy in the Twenty-First Century

Privacy policy wordcloud

For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.

In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?

Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.

Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).

The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:

http://events.educause.edu/educause-live/webinars/2017/big-data-whats-the-big-deal

Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.

The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.


Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator

What does the Yahoo Breach mean? Fix your password now!

You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.

First the facts: According to Reuters,  at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.

Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.

So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.

Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).[1]

Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, geoffnathan@yahoo.com)[2]

This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here

Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.


[1]    This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.

[2]    And, before you can get smart with me, as I am writing this I have already changed it.

Booking International Travel is About to Change

Getting to TravelWayne is going to get a little more complicated if you are planning international travel. Here’s why.

For a number of years the US Department of State, the Department of Commerce and the U.S. Treasury Department have had restrictions on what things can be exported to other countries. These restrictions come from the International Traffic in Arms (ITAR) regulations, the Export Administration Regulations (EAR) and the Office of Foreign Assets Controls (OFAC). However, ‘export’ doesn’t mean what you think it means. The US government defines ‘export’ as moving objects or data out of the country. That includes objects such as laptops that contain data. There are certain kinds of data that cannot be taken to certain countries. Probably most data you would put on a laptop (or tablet, or thumb drive, etc.) would not be restricted. But there is a large list of kinds of data that could get you, and Wayne State into big trouble if the Feds find out you have taken them to China, or Iran, or even France, in some cases.

Just as an example of how faculty members can get into trouble, you can read the University of Hawai`i’s website on the topic

Further complicating things is the fact that some countries forbid encrypted data from being imported into those countries. Here is a map showing which countries restrict the import of encrypted data.

So, to protect everyone involved (travelers and their ‘supervisors’–chairs and such, as well as the Office of Research), there is a new university policy on international travel that is going into effect in a couple of weeks, once the mechanisms are in place.

How will the policy affect the average traveler? If you are traveling within the US, it will have no effect. But if you are travelling internationally, you will see a new button in Academica saying ‘International Travel’. When you click that, you will be taken to a questionnaire that asks what you will be bringing with you. If one of your answers triggers a potential international travel issue, the system will generate an email to the Export Control office at Wayne. You will be urged to contact them so that they can make sure you are not violating laws against Export Control. After you do so, they will send you an email giving you clearance to travel.

For a preview of the questions, just go to ft.wayne.edu. At the moment it’s set up as a test version, so no emails are generated, and it doesn’t record who has visited.

The way the system will work is that when you begin the process of making travel plans (within TravelWayne) for each trip, you will have to go through the questionnaire. Thereafter, for each trip you can go directly to TravelWayne (say, to tweak you hotel reservation or whatever).

The kicker, once the policy goes into effect, is that you will not be reimbursed for your trip if you haven’t received clearance from the Export Control office, so it is definitely in your interest to get that clearance.

Associated with this policy are two helpful FAQ’s that make suggestions about safe ways to travel internationally, one on legal questions, the other on technical issues. These include always using the VPN when connecting to Wayne State resources (such as your email, or files stored on Wayne State sites). Note that you cannot even reach Facebook or Google from certain countries (including China) unless you use the VPN, by decision of the host country. Wayne State has nothing to do with these restrictions, of course.

 

The IRS is coming and they want to help–really!

As I mentioned in an earlier post and also here, a number of Wayne State employees were hit by an IRS hack that stole their identities and attempted to claim refunds. Wayne State C&IT and Internal Audit have investigated these hacks and have found no evidence that the source of the leaks was located at Wayne State, but nonetheless the IRS has volunteered to send an agent to campus to talk about how to avoid this kind of attack in the future.

We have contacted all the victims that we know of, but have also decided to open the IRS agent’s talk to the campus at large. Here are the details:

Tuesday, July 12, 10:00 AM

Partrich Auditorium (located in the Law School).

No need to RSVP—just come.

If you have any questions, you can contact the Office of Internal Audit at (313) 577-2128 or Carolyn Hafner at ab0414@wayne.edu.

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

The terrorist’s iPhone is probably just a ruse.

Now that it’s getting national play, people have noticed that this isn’t the first time the Government has attempted to get Apple to break their own iPhone security. Months before the San Bernadino attacks they tried a couple of times to get Apple to do the same thing. A  judge for the US District Court refused the same order in a case unrelated to national security in October of last year.

So one could conclude that the government’s purpose here is to wrap itself in the flag because it really doesn’t like the idea of security without back doors. If they win this case, of course, the world will continue to write secure software. Since the number of iPhones in the world is nearly 50 million that’s an enormous market for truly secure smartphones, and if the the US government breaks them I’m sure there will be Chinese, Indian or Finnish companies eager to supply truly secure phones we can use for online banking, shopping at Amazon, remote desktop connections and other totally legitimate reasons to have security without back doors floating around waiting to be exploited.

Amazon and Bestbuy are following me, and it’s creeping me out

BeAwareofWhatsBeingSharedYesterday I needed to find a price for a box of inkjet printer cartridges I have but no longer need (the printer broke and I bought a new one that uses different cartridges). I was trying to sell them.
This morning I visited my favorite political blog site, Reason Magazine’s Hit and Run and guess what showed up on the right hand side of the page–ads for Canon printers and HP inkjet cartridges. How did Hit and Run know?

Of course, they didn’t. But Amazon and Best Buy purchase ad space on lots of web pages, and my IP address is stored in various cookies, so totally unrelated sites know who I am and their ads target me. And what’s worse, one of those searches was on my iPhone, but the ad showed up on my office desktop.

So remember–if you’re searching for something sensitive, use an anonymized browser page (on Firefox select ‘New Private Window’, ‘New incognito window’ in Chrome, or in Safari a ‘Private Window’–these choices are usually available under the File menu, or at the three horizontal lines icon at the top left). Otherwise you may find ads for pregnancy tests or online tests for symptoms of schizophrenia showing up in your USA Today.

Bruce Schneier, my favorite IT security and privacy guru has a great column about how our mobile devices are now talking to our laptops and desktops and vice versa–long but worth a read:

Bruce Schneier on the Internet of Things

If this bothers you, or you are just interested in learning more about the relationship between privacy and Big Data, come hear Sol Bermann on January 26.