Archive for the ‘computer security’ Category

Techie Tip of the Week: Watch the Security Video

Friday, January 25th, 2013

20130127-182535.jpgStanford’s Information Security Office has put together important videos for the Stanford community covering tips for staying safe online. Two videos were produced — one for students; the other for faculty and staff. For those with dual student and employee affiliations at the University, viewing both videos is required.

University employees who have not yet watched the video will be required to do so by March 12.

The 12-minute videos are available now in the Accounts Application (https://accounts.stanford.edu/manage).

A summary of key information will be sent to the person via email after the video is played. Afterward, the video will remain available for viewing within the Account Application (https://accounts.stanford.edu/manage).

If a person has not watched the video(s) within the allotted time frame, that person’s next login attempt to any authenticated Stanford web site via WebLogin will be redirected to the awareness video to complete this requirement before being permitted to proceed.

For more information, visit these sites:

Techie Tip of the Week: Use 2-Step Authentication for Extra Security

Friday, January 4th, 2013

Hackers, identity thieves, and other nefarious folk are constantly trying to gain access to your information. Although having a good password is a great idea and is important to protecting your information, using 2-step authentication really makes it quite difficult for others to obtain your data.

Two-step authentication (also known as 2-step verification or 2-factor authentication) uses two types of authentication to verify your identity: your password and an authentication code. In order for a thief to steal your data, they would need to know not only your password, but also have access to the the code (which can be set to change every 30-60 seconds).

Google has been allowing people to use two-step verification for a while now. And now, it’s available at Stanford.
Two-step authentication is required to access Stanford systems that have higher than normal levels of security, such as critical business or infrastructure systems. In addition, two-step authentication can help protect your Stanford account should someone other than you learn your password.

To learn more about two-step authentication, go to https://itservices.stanford.edu/service/webauth/twostep

To enable two-step authentication:

  1. Go to http://accounts.stanford.edu
  2. Click Manage.
  3. Click Two-Step Auth.
  4. Click Enable and follow the on-screen instructions.

Then, to use two-step authentication:

  1. Visit the protected site.
  2. At the SUNet ID login screen, enter your SUNet ID and password, as always.
  3. If you are using Google Authenticator, launch it and enter the Google Authenticator code.
    If you are using Text Messaging, enter the code that comes with the text message.
    If you are using the Printed List method, enter one of the codes (each code can be used once).

Techie Tip of the Week: Yahoo! Usernames and Passwords Exposed – What to do

Friday, July 13th, 2012

You may have heard that hackers recently exposed thousands of credentials for users of Yahoo! Voice.

What can you do to ensure you’re not one of them? Sucuri Malware Labs has set up a web site that checks to see if your account was one of those that were hacked:

  1.  Go to the Sucuri Malware Labs Yahoo Leak Password Checker website:
    http://labs.sucuri.net/?yahooleak
  2. In the Your email field, enter your email address (note that you can sign into Yahoo! Voice using other email addresses, so you may want to check all of your email addresses, not just your Yahoo! account).
  3. Click Check email.

Hopefully your account wasn’t one of the nearly half million accounts that were leaked. But if it is, what should you do? As Sucuri notes in their blog posting “What Should I Do If My Email is in the Yahoo Leak”:

  1. Immediately change your Yahoo password.
  2. Change the password of any account that was using the Yahoo password.
  3. If you use Yahoo! Voice, you should change your password even if your account isn’t on the list of compromised accounts. When security has been breached on a secured site like Yahoo!, you should assume that all of the data are compromised, not just those that have been shown to be exposed.
For an analysis of the leak, including an analysis of the passwords people had been using, visit Sucuri’s analysis:
http://blog.sucuri.net/2012/07/analysis-of-yahoo-voice-password-leak-453441-passwords-exposed.html

Techie Tip of the Week: Update and Use Anti-Virus Software! (Even Mac Users!)

Friday, May 18th, 2012

Virus rezon

Most Windows-based users know that they need to keep their computers patched and protected from viruses. But many Mac users have the mistaken impression that viruses, trojans, and other malware is just for Windows.

Not true! Macintosh machines are vulnerable to attack as well — there are just fewer malware attacks against Macs since it’s more difficult to create and deploy them.

As published in a recent article in the NY Times, one of the largest, widespread attacks against the Mac OS X operating system has recently hit Mac users, and it’s infected a half-million machines. First discovered in September, “Flashback” allows a remote hacker to gain access to your computer or download further malicious code to your Mac.

The fix? Make sure you have installed anti-virus software, and are ensuring that the tool is kept up-to-date.

Stanford has site-licensed the Sophos Anti-Virus software and Stanford people can download it for no additional charge by visiting http://ess.stanford.edu/ (both Macintosh and Windows versions are available for download).

Until next week, safe travels on the ‘Net!

Techie Tip of the Week: Always Use SSL in Facebook

Friday, December 16th, 2011

A few months ago, we discussed the importance of using secure browsing since packet sniffers can be used to steal your information while online. This week’s tip will show how you can change your settings in Facebook to always use https when you log into Facebook.

To set up Facebook to always use secure browsing:

1. Log into Facebook.
2. Go to your Security Settings page (Account > Account Settings > Security)
3. Click the Secure Browsing section.
4. Check the box.
5. Click Save.

Until next week, safe travels on the Net!

Techie Tip of the Week — Packet Sniffers

Friday, May 20th, 2011

Last week we talked about TCP/IP and how when data travels across the Internet, that it “hops” from node to node in little pieces called packets.

Be aware! When you do things on the Internet, if the method of transport is insecure (for example, if you are looking at a web page using http instead of https, or if you are sending email to an address that is outside of your local network), the packets that are sent may be intercepted along the route by a hacker. Your email, web page, or, perhaps more importantly, web cookie (complete with your credentials intact) may get intercepted by a maleficent user!

Special computer programs, known as Packet Sniffers or Packet Analyzers, are used to do just that. As the data flows across the network, the sniffer tool captures each packet and decodes the packet’s raw data, showing the values of various fields in the packet.

You’re particularly vulnerable to having your data intercepted if you use a wireless device over an unsecured wireless network.  WiFi networks have a range of about 100 yards; anyone within a football field of your wireless device could be reading your email or log into your Facebook, Yahoo! Mail, or other account by stealing the unencrypted cookie with your login credentials.

So, what can you do?

  1. Always use https any time you log into an account.
  2. Don’t use a service that uses https during the login part but then switches back to http after logging you in. By default, Facebook and Yahoo! Mail do this. With Facebook, you can change your settings so it will always use https (Account>Account Settings>Account Security>Secure Browsing). With Yahoo! Mail, your username and password are protected, but once you log in, it switches you back to http. Anyone with sniffer software installed could read your email as it’s being sent.
  3. Be careful when using unsecured wireless networks. Don’t log into accounts that only use http. Don’t send important emails. When using  one of the free wireless hotspots at a fast food restaurant, hotel, coffee shop, airport, or school (including Stanford), most likely it will be on an insecure wireless network. Anyone within a football field running a packet sniffer could easily steal your credentials and access your account.

Techie Tip of the Week: Pick a Good Password

Friday, March 11th, 2011

Setting a good password is critical to ensuring computer security.

Here are some tips for creating a good password:

  1. Longer is better — at least 9 characters.
  2. Remove all the vowels from a short phrase (e.g., llctsrgry — “All cats are gray”)
  3. Use an acronym: choose the first or second letter of your favorite quotation (e.g, itsotfitd — “It’s the size of the fight in the dog”)
  4. Mix letters and non-letters in your passwords. (Non-letters include numbers and all punctuation characters on the keyboard.)
  5. Transform a phrase by using numbers or punctuation (e.g., UR1drful — you are wonderful).
  6. Consider using a phrase instead of a word. Pass phrases are sentences or parts of a sentence, and, as such, tend to be easier to remember than passwords. When picking a pass phrase, try to have the phrase be at least 15 characters in length. The reason pass phrases work (and, in fact, are better than passwords) is that the increased length provides so many possible permutations that password-cracking programs have greater difficulty in cracking the code.
    • Decent password: tgT!b8tu  (stands for the good, the bad, and the ugly, with some alternating uppercase and lowercase letters and substituting numerals and punctuation for letters or spaces)
    • Better pass phrase: The good, the bad, and the ugly is my number 1 favorite movie of all time because of the acting, the themes involved, and the plot.
    • Even better pass phrase (substituting ‘zero’ for ‘o’): The G00d, the Bad, & the Ugly is my #1 fav0rite m0vie 0f all time because 0f the acting, the themes inv0lved, and the pl0t.

More tips like these can be found at https://itservices.stanford.edu/service/unixcomputing/unix/passwords

Techie Tip of the Week: Help Avoid Identity Theft

Friday, March 4th, 2011

In today’s Tech Briefing, we spoke about steps you can take to help avoid becoming victim to Identity Theft.

While there’s no way to absolutely prevent  thieves from stealing your identity, here are some tips you can do to protect yourself:
(tips taken from the Stanford University Department of Public Safety — http://www.stanford.edu/group/SUDPS/safety-report/personal-safety.shtml)

  1. Destroy private records and statements. Destroy credit card statements, solicitations and other documents that contain any private information. Shred this paperwork using a “cross-cut” shredder so thieves can’t find your data when they rummage through your garbage. Also, don’t leave a paper trail – never leave ATM, credit card or gas station receipts behind.
  2. Secure your mail. Empty your mailbox quickly, lock it or get a P.O. box so criminals don’t have a chance to steal credit card offers. Never mail outgoing bill payments and checks from an unsecured mailbox, especially at home. They can be stolen from your mailbox and the payee’s name erased with solvents. Mail them from the post office or another secure location.
  3. Safeguard your Social Security number. Never carry your card with you, or any other card that may have your number, like a health insurance card or school issued ID. Don’t put your number on your checks; your SSN is the primary target for identity thieves because it gives them access to your credit report and bank accounts. There are very few entities that can actually demand your SSN – the Department of Motor Vehicles, for example. Also, SSNs are required for transactions involving taxes, so that means banks, brokerages, employers, and the like also have a legitimate need for your SSN.
  4. Safeguard your computer. Protect your computer from viruses and spies. Use complicated passwords; frequently update antivirus software and spyware. Surf the Web cautiously. Shop only at trustworthy web sites and be wary of obscure sites or any site you’ve never used before.
  5. Know who you’re dealing with. Whenever you are contacted, either by phone or email, by individuals identifying themselves as banks, credit card or e-commerce companies and asked for private identity or financial information, do not respond. Legitimate companies do not contact you and ask you to provide personal data such as PINs, user names and passwords or bank account information over the phone or Internet. If you think the request is legitimate, contact the company yourself by calling customer service using the number on your account statement or in the telephone book and confirm what you were told before revealing any of your personal data.
  6. Take your name off marketers’ hit lists. In addition to the national Do Not Call Registry (1-888-382-1222 or https://www.donotcall.gov), you also can reduce credit card solicitations for five years by contacting an opt-out service run by the three major credit bureaus: (888) 5-OPT OUT or https://www.optoutprescreen.com. You’ll need to provide your Social Security number as an identifier.
  7. Be more defensive with personal information. Ask questions whenever anyone asks you for personal data. How will the information be used? Why must I provide this data? Ask anyone who does require your Social Security number — for instance, cell phone providers — what their privacy policy is and whether you can arrange for the organization not to share your information with anyone else.
  8. Monitor your credit report. Each year, obtain and thoroughly review your credit report from the three major credit bureaus, Equifax, Experian and TransUnion (now available annually for free by calling 877-322-8228 or at https://www.annualcreditreport.com) to look for suspicious activity. If you spot something, alert your card company or the creditor immediately.
  9. Review your bank and credit card statements carefully. Look for unauthorized charges or withdrawals and report them immediately. Make sure you recognize the merchants, locations and purchases listed before paying the bill. If you don’t need or use department-store or bank-issued credit cards, consider closing the accounts.
  10. Be aware of how ID thieves can get your information. They get information:
    • From businesses or other institutions by stealing records, bribing employees with access to records, hacking into computers, or rummaging through trash.
    • By posing as a landlord, employer, or someone else who may have a legal right to the information.
    • By stealing credit and debit card numbers as your card is processed by using a special information storage device in a practice known as “skimming.”
    • By stealing wallets and purses containing identification and credit or bank cards.
    • By stealing mail, including bank and credit card statements, pre-approved credit offers, new checks, or tax information.
    • By completing a “change of address form” to divert your mail to another location.