Posts Tagged ‘computer security’

Techie Tip of the Week: Use 2-Step Authentication for Extra Security

Friday, January 4th, 2013

Hackers, identity thieves, and other nefarious folk are constantly trying to gain access to your information. Although having a good password is a great idea and is important to protecting your information, using 2-step authentication really makes it quite difficult for others to obtain your data.

Two-step authentication (also known as 2-step verification or 2-factor authentication) uses two types of authentication to verify your identity: your password and an authentication code. In order for a thief to steal your data, they would need to know not only your password, but also have access to the the code (which can be set to change every 30-60 seconds).

Google has been allowing people to use two-step verification for a while now. And now, it’s available at Stanford.
Two-step authentication is required to access Stanford systems that have higher than normal levels of security, such as critical business or infrastructure systems. In addition, two-step authentication can help protect your Stanford account should someone other than you learn your password.

To learn more about two-step authentication, go to https://itservices.stanford.edu/service/webauth/twostep

To enable two-step authentication:

  1. Go to http://accounts.stanford.edu
  2. Click Manage.
  3. Click Two-Step Auth.
  4. Click Enable and follow the on-screen instructions.

Then, to use two-step authentication:

  1. Visit the protected site.
  2. At the SUNet ID login screen, enter your SUNet ID and password, as always.
  3. If you are using Google Authenticator, launch it and enter the Google Authenticator code.
    If you are using Text Messaging, enter the code that comes with the text message.
    If you are using the Printed List method, enter one of the codes (each code can be used once).

Techie Tip of the Week: Don’t Click that Link!

Friday, December 14th, 2012

Staying safe on the Internet is challenging. It is technologically easy for nefarious hackers to create emails, web pages, and other documents that look like they are from real, trustworthy entities (e.g., banks, e-commerce sites,  or universities).

Be wary of emails or web pages that ask for your username, password, social security number, home address, or other personal information.  Check to make sure these requests for information are from legitimate businesses or sources before responding.

Here are some tips for protecting yourself from phishing scams:

  1. Pay attention to the headers in the email (the to field, the from field, the subject field, etc.). Make sure the email is coming from legitimate locations.  Recently, a phishing scam attacked Stanford University – in the header,  here was the From: “Computing Services” <bskgoprh@stanford.edu>. If this were a legitimate email, it would have likely come from “security@stanford.edu” or “helpsu@stanford.edu” or from Matthew Ricks, head of Computing Services personally.
  2. Never click on a link from within an email.  Always open a web browser and manually type in (or copy and paste) the URL yourself.  It is easy for “phishers” to make links appear to go one place, but really go someplace else.  Just because a link says it’s going to PayPal or some other legitimate location  doesn’t necessarily mean it will actually take you there.For example, in the phishing attack that hit Stanford, the phishers used a link that contained part of the real URL (http://axess.stanford.edu), but also contained a number of extra letters and numbers at the end (.student.3hf.be). Pay attention to the URLs in an email and never simply click the link.
  3. Realize that it is easy to create legitimate-looking websites. Victims of the phishing scam that hit Stanford were sent to a website that looked exactly like the real site that people would have gone to if it were legit. Simply because the site LOOKS real doesn’t mean that it is.Pay attention to the URL in the address bar. Does it contain extra letters or substitutions (e.g., 1 for l) that shouldn’t be there?

    For example, these are fake:
    http://www.paypal.com.someplace.ru
    http://www.paypa1.com

    This is the real address:
    http://www.paypal.com

For more tips on protecting yourself from phishing, visit the Federal Trade Commission’s Anti-Phishing tips site:
http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm

Techie Tip of the Week: It’s Cyber Awareness Month – Be Safe Online!

Friday, October 19th, 2012

In honor of national cyber security awareness month, this week we’d like to point out some of things you can do to make your online experience safer!

From the National Cyber Security Alliance, here are the top 31 security tips. One for each day of the month!

Techie Tip of the Week: Yahoo! Usernames and Passwords Exposed – What to do

Friday, July 13th, 2012

You may have heard that hackers recently exposed thousands of credentials for users of Yahoo! Voice.

What can you do to ensure you’re not one of them? Sucuri Malware Labs has set up a web site that checks to see if your account was one of those that were hacked:

  1.  Go to the Sucuri Malware Labs Yahoo Leak Password Checker website:
    http://labs.sucuri.net/?yahooleak
  2. In the Your email field, enter your email address (note that you can sign into Yahoo! Voice using other email addresses, so you may want to check all of your email addresses, not just your Yahoo! account).
  3. Click Check email.

Hopefully your account wasn’t one of the nearly half million accounts that were leaked. But if it is, what should you do? As Sucuri notes in their blog posting “What Should I Do If My Email is in the Yahoo Leak”:

  1. Immediately change your Yahoo password.
  2. Change the password of any account that was using the Yahoo password.
  3. If you use Yahoo! Voice, you should change your password even if your account isn’t on the list of compromised accounts. When security has been breached on a secured site like Yahoo!, you should assume that all of the data are compromised, not just those that have been shown to be exposed.
For an analysis of the leak, including an analysis of the passwords people had been using, visit Sucuri’s analysis:
http://blog.sucuri.net/2012/07/analysis-of-yahoo-voice-password-leak-453441-passwords-exposed.html

Techie Tip of the Week: Beware of Viruses and Trojans like DNSChanger

Friday, July 6th, 2012

20120707-132219.jpgYou may have heard the news — the trojan DNSChanger is set to wreak havoc on the Internet this coming Monday.

I think this is a good time to remind everyone that they should have up-to-date anti-malware programs installed and activated on their machines — and, yes, this means Mac users, too!

Stanford people can go to the Essential Stanford Software website (http://ess.stanford.edu) to download and install the Sophos anti-malware tool.

More information on the DNSChanger trojan can be found at:

Techie Tip of the Week: Update and Use Anti-Virus Software! (Even Mac Users!)

Friday, May 18th, 2012

Virus rezon

Most Windows-based users know that they need to keep their computers patched and protected from viruses. But many Mac users have the mistaken impression that viruses, trojans, and other malware is just for Windows.

Not true! Macintosh machines are vulnerable to attack as well — there are just fewer malware attacks against Macs since it’s more difficult to create and deploy them.

As published in a recent article in the NY Times, one of the largest, widespread attacks against the Mac OS X operating system has recently hit Mac users, and it’s infected a half-million machines. First discovered in September, “Flashback” allows a remote hacker to gain access to your computer or download further malicious code to your Mac.

The fix? Make sure you have installed anti-virus software, and are ensuring that the tool is kept up-to-date.

Stanford has site-licensed the Sophos Anti-Virus software and Stanford people can download it for no additional charge by visiting http://ess.stanford.edu/ (both Macintosh and Windows versions are available for download).

Until next week, safe travels on the ‘Net!

Techie Tip of the Week: Set up Login Notifications in Facebook

Friday, April 6th, 2012

A few months ago, we talked about the importance of making your Facebook settings set to always use SSL. This week’s tip covers how to set up login notifications. You can set up Facebook to notify you when your account is accessed from a computer or mobile device that you haven’t used before. This will let you know immediately if someone other than you logs into Facebook without your knowledge or permission.

To set up Facebook to always notify you whenever someone (hopefully just you) logs into Facebook using a device you haven’t used before:

  1. Log into Facebook.
  2. Go to your Security Settings page (Click the black triangle to the right of your Account Name –> Account Settings –> Security)
  3. Click Login Notifications.
  4. Check the box Email to be notified by email; check the box Text Message/Push Notification to be notified by text messaging.
  5. Click Save Changes.

From now on, whenever you log into Facebook, you will be asked to identify the computer you’re using. And you will receive a message (either email, text, or both) with that information. If you receive one of these messages and you didn’t log into Facebook, you’ll know right away that someone else has gained access to your Facebook account and you can take appropriate actions.

Until next week, safe travels on the Net!

Techie Tip of the Week: Beware of Phishing!

Friday, March 16th, 2012

Spammers, hackers, and other online “evil-doers” often try to convince you to give up private, important info — like your bank account, credit card, password, or other secret information.

To help avoid getting caught in a so-called phishing attempt, pay attention to these tips from Stanford’s Secrure Computing site (http://www.stanford.edu/group/security/securecomputing/phishing.html):

Vigilance is the only defense against social engineering. Look for these markers to know you’re getting ready to divulge too much:

  • “Here’s your big chance to play the new fantastic version of the [xxx] game!” The link, of course, goes somewhere where they will extract some private information (real name? a password that might work somewhere else? your birthdate in order to prove you are ‘old enough’ to play, etc.). This really is the #1 rule: Avoid clicking links people send you instead of using a search engine to find the proper link.
  • Anything that sounds too good to be true probably is. It is unlikely that you have won the Irish Sweepstakes, even if you elect to send in a $1,000 security payment.
  • Any time you get a solicitation in email that you did not request – even from a trusted friend – should be discarded immediately. No reputable company works this way.
  • Email with misspelled, mispunctuated, or bizarrely formatted text is almost surely a scam.
  • If something feels like it requires action, confirm via telephone with someone you know (or at least can verify, e.g., by calling the corporate headquarters) before you send money. A recent scam asks for money because your best friend (or aunt or grandmother or …) is caught in Europe (or some faraway place) and can’t return until they pay bail, or a fee, or some other money-requirement. You, the trustworthy friend or relative can help them! Call them at home to make sure they’re not there before sending money.
  • Any time you are getting ready to feel good about giving away some money or information, think twice: Why am I really doing this? Do I know who is on the other end of my bequest? “Hey, John, please remind me of the combination to get into the machine room.” Who is really asking?
  • “Please come back to FaceBook!” The link, of course, goes to a FaceBook look-alike which presumably reaps your name and password. Avoid clicking links people send you instead of using a search engine to find the proper link.
  • “Please call this number to verify [xxx].” You’ll get a recording asking you to leave all sorts of useful information. Don’t even think of calling telephone numbers you can’t verify (perhaps by checking a phone book or institutional phone list) sent to you unsolicited in email.
    Keywords to avoid: verify, account, won, lottery, respond [now, quickly], or you will suffer [some horrible thing] See these? Click delete.
  • Vishing: These same pitches and scams work in airports, for panhandlers, and all sorts of non-computer scammers, too, by the way. They even work when people call you on the phone! “Hey, Jill, this is Ralph over in accounting. I’ve forgotten [xxx], can you help me out?” Look up their number and call them back.
  • SMSiShing: Same idea for text messages are you phone. Don’t believe a bank will text you; call them on an independently verified number.

Techie Tip of the Week — Packet Sniffers

Friday, May 20th, 2011

Last week we talked about TCP/IP and how when data travels across the Internet, that it “hops” from node to node in little pieces called packets.

Be aware! When you do things on the Internet, if the method of transport is insecure (for example, if you are looking at a web page using http instead of https, or if you are sending email to an address that is outside of your local network), the packets that are sent may be intercepted along the route by a hacker. Your email, web page, or, perhaps more importantly, web cookie (complete with your credentials intact) may get intercepted by a maleficent user!

Special computer programs, known as Packet Sniffers or Packet Analyzers, are used to do just that. As the data flows across the network, the sniffer tool captures each packet and decodes the packet’s raw data, showing the values of various fields in the packet.

You’re particularly vulnerable to having your data intercepted if you use a wireless device over an unsecured wireless network.  WiFi networks have a range of about 100 yards; anyone within a football field of your wireless device could be reading your email or log into your Facebook, Yahoo! Mail, or other account by stealing the unencrypted cookie with your login credentials.

So, what can you do?

  1. Always use https any time you log into an account.
  2. Don’t use a service that uses https during the login part but then switches back to http after logging you in. By default, Facebook and Yahoo! Mail do this. With Facebook, you can change your settings so it will always use https (Account>Account Settings>Account Security>Secure Browsing). With Yahoo! Mail, your username and password are protected, but once you log in, it switches you back to http. Anyone with sniffer software installed could read your email as it’s being sent.
  3. Be careful when using unsecured wireless networks. Don’t log into accounts that only use http. Don’t send important emails. When using  one of the free wireless hotspots at a fast food restaurant, hotel, coffee shop, airport, or school (including Stanford), most likely it will be on an insecure wireless network. Anyone within a football field running a packet sniffer could easily steal your credentials and access your account.

Techie Tip of the Week: Pick a Good Password

Friday, March 11th, 2011

Setting a good password is critical to ensuring computer security.

Here are some tips for creating a good password:

  1. Longer is better — at least 9 characters.
  2. Remove all the vowels from a short phrase (e.g., llctsrgry — “All cats are gray”)
  3. Use an acronym: choose the first or second letter of your favorite quotation (e.g, itsotfitd — “It’s the size of the fight in the dog”)
  4. Mix letters and non-letters in your passwords. (Non-letters include numbers and all punctuation characters on the keyboard.)
  5. Transform a phrase by using numbers or punctuation (e.g., UR1drful — you are wonderful).
  6. Consider using a phrase instead of a word. Pass phrases are sentences or parts of a sentence, and, as such, tend to be easier to remember than passwords. When picking a pass phrase, try to have the phrase be at least 15 characters in length. The reason pass phrases work (and, in fact, are better than passwords) is that the increased length provides so many possible permutations that password-cracking programs have greater difficulty in cracking the code.
    • Decent password: tgT!b8tu  (stands for the good, the bad, and the ugly, with some alternating uppercase and lowercase letters and substituting numerals and punctuation for letters or spaces)
    • Better pass phrase: The good, the bad, and the ugly is my number 1 favorite movie of all time because of the acting, the themes involved, and the plot.
    • Even better pass phrase (substituting ‘zero’ for ‘o’): The G00d, the Bad, & the Ugly is my #1 fav0rite m0vie 0f all time because 0f the acting, the themes inv0lved, and the pl0t.

More tips like these can be found at https://itservices.stanford.edu/service/unixcomputing/unix/passwords