• A-Z
  • Directory
  • myUVM
  • Loading search...

Why?security

Visiting Questionable Websites (or, Using Your “Internet Hazmat Suit”)

Posted: November 10th, 2014 by Sam

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

With each phishing campaign that’s conducted against UVM’s students, faculty, and staff, the Information Security Office receives dozens of notifications from astute members of the community who recognize the email messages for what they are: a scam aimed at co-opting someone’s legitimate access to UVM’s information resources.

Occasionally, these notifications include a comment like, “I knew the email was a phish, and clicked the link. Wow, was that ever a poor excuse for a website!” (or “…Wow, the site looked exactly like myUVM!”). While we appreciate the heads-up and certainly understand folks’ curiosity, the sad fact is that even the simple act of visiting one of these websites can cause trouble by forcing your browser to make unauthorized requests, instigating malware downloads, or even by commandeering your web browser for control by nefarious puppeteers.

What’s the astute-yet-curious Internet citizen to do?

In short: Leave it alone, unless you’re willing to undertake a fair amount of work. Seriously: The Bad Guys have gone out of their way to take Everything That’s Nice About the Internet and turn it against us.

You’re still here? OK, there are a few techniques that someone willing to go the extra mile (well, frankly, a few extra miles) can use to investigate suspicious sites in relative safety. But even all of these are only a hedge, and not a guarantee that nothing Bad will happen to your computer/mobile device/information. Caveat lector/Lasciate ogni speranza/Here be dragons, etc.:

The “one-time experiment” approach: A separate user account on your computer.

The easiest entrée into Fearless Acts of Internet Investigation involves becoming someone else…sort of. Modern computer operating systems (including Windows, OS X, and Linux) leverage the concept of the user account. Whether you know it or not, each time you use your own computer, you log in as a particular user (even if you don’t use a password). In most “consumer computing” cases, that user is also an administrator of the machine’s operating system, meaning that it is capable of doing just about anything to that computer including installing malware like viruses and keyloggers.

The trick to safely investigating suspicious Internet sites is to NOT have that capability. Here’s how to do it:

  • Be certain your OS, web browser, and anti-virus/malware protections are fully up-to-date. It would be sad to do all this work only to be nailed by something that’s already been addressed, no?
  • Copy the suspect link to a piece of paper. Seriously? Yes: Where we’re going, you won’t be able to copy/paste between “here” and “there”…
  • Create a non-administrator user account. On both Windows and OS X computers, this is called a “Standard” user.
  • Switch to this newly-created user account. The process differs between Windows and OS X.
  • Disable JavaScript, Java, Flash, and ActiveX in your web browser. This will address common avenues for “silent” delivery of downloads and remote control of your browser. Again, different processes for different browsers like Firefox, Chrome, Internet Explorer, and Safari. Search engines like Google, Bing, and company are your friend, here.
  • Visit the site. (You’ve been so patient!)
  • STOP if you are presented with prompts that request Administrator privileges or the installation of browser plugins. (We’re specifically trying to rob the website of these capabilities, remember? :-))

It’s important to note something here: In disabling all those browser capabilities/plugins (JavaScript, Flash, etc.), we’ve traded “fidelity” for “safety”. In other words, the site you visit may not look as intended without those bells and whistles enabled, so it could be difficult to tell whether it’s a clone of myuvm.uvm.edu, or trying to do something sneaky like turn your browser into a zombie. The antidote to this is the next method, below.

The “dedicated” approach: A virtual machine.

A “virtual machine” is basically a second computer running inside your computer’s operating system. The great thing about virtual machines is that they can generally be copied. So you can, say, create a very basic virtual Windows or Linux machine template on your Windows, Mac, or Linux computer, make a copy of it to use when visiting unsavory websites, and then throw it away when you’re done. The next time you find yourself itching to check out another questionable site, make another copy, use that, throw it away when done. A lot like a disposable hazmat suit!

Popular virtualization technologies for desktop computers include VMware products for Windows computers and Macs, VirtualBox for both, Parallels Desktop for Macs, and KVM and Xen for Linux. You could even try out one of the free cloud offerings from the likes of Amazon if you just want to dip your toe in the water without installing software on your own computer. (Please note that UVM doesn’t formally endorse or support any of these products, even though they may be in use by various units. Caveat emptor/your mileage may vary.)

The advantage of this method over the “separate user account” approach is that the isolation from your everyday operating system (known as the “host OS” in virtulization lingo) is more complete, so you can let the browser run active content (JavaScript, Flash, etc.) and get the “full website experience” with more confidence. This does make it important that you destroy the virtual machine when you’re done, since it’s basically a full-fledged computer which you’ve just exposed to a bunch of Internet contagion. Which means, if it does catch some Exotic Internet Flu, it will be an infected computer with access to other computers on your home network/UVM’s network/the Internet.

Wait: What about my phone/tablet?

Sadly, there aren’t a lot of great options here for mobile devices. For better or for worse, most mobile device operating systems (like Android, iOS, and Windows RT) only support one all-powerful user account, so the “create a non-administrator user” option is out. (Notable exception: Windows Surface tablets running Windows 8.) And while there are some “sandboxing” options that mimic running virtual machines on these devices, they’re generally part of expensive enterprise mobile device management packages. Certainly it’s possible to remotely control a virtual machine using special apps on your mobile device, but you still have to have a virtual machine to control.

So, as of this writing: Stick to a laptop or desktop computer. (But look for that to change in the future. Maybe.)

That’s pretty involved.

If both of those approaches seem like a bunch of work, it’s because they are. Over the last two decades, computer operating systems and web browsers have developed capabilities for the rapid acquisition (read: download) of content, convenient installation of software (easy-to-use administrator accounts), and a rich interactive experience (JavaScript and friends), and hacking techniques have evolved to take advantage of those capabilities for nefarious purposes. So, in order to have a truly safe experience when visiting potentially-dangerous websites, one really needs to short-circuit a whole bunch of features that the modern Internet user takes for granted.

Is it possible to do this? Yes, if you’re committed to taking appropriate precautions. Is it for everyone? We leave that up to you.

So, in conclusion…

We encourage you to STOP before clicking the link in that scam email.

Then THINK about what information you might be putting at risk by visiting that website on the device you’re currently using (your phone? tablet? laptop?) — How many passwords are saved on there? What’s in the files contained in its local storage? Have you logged into your bank using this device? Did you ever log off?

Finally, CONNECT only if you’ve taken the extensive precautions required in order to do so safely.

Questions or comments? Get it touch with us: iso@uvm.edu

 

Safe surfing,

Sam Hooker, for the Information Security Operations Team

Physical Information Security for Everyone

Posted: October 28th, 2014 by Sam

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

As weird as it might seem, there are physical aspects to securing information about you: Before your data are stolen or corrupted, there’s a need to keep track of devices and media containing information about you and your life. After someone acquires your data, there’s the possibility it could be used against you in the real world (online banking theft, physical robbery, extortion, and, in extreme cases, physical violence).

We encourage you to STOP before leaving your laptop or phone behind in a public area during trips to the restroom; before tossing your class schedule into the recycle bin unshredded; before posting information about your physical location, upcoming vacation (OK to post afterwards!), or financial habits.

Then THINK about the possible implications of this action; whether the links in that email or text message point to an official UVM website; whether you even have an account with that bank; whether Facebook is really likely to have forgotten how to use spell-check.

Finally, CONNECT with your surroundings, both virtual and physical: Is this a safe place to leave my laptop? Does this website seem sketchy?

A tiny pause can mean the difference between an enjoyable experience and a messy situation. It may seem like a lot to ask, but while we can’t claim this will make you invulnerable, it won’t be long before you don’t even realize you’re doing it.

Safe surfing,

Sam Hooker, for the Information Security Operations Team

Why would anyone want my NetID and password?

Posted: October 24th, 2014 by dpientka

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

Ever wonder why you get all those messages asking you to “Confirm your account now!” or “Login today or your email permissions will be revoked!” or “Verify your password or else!” or any number of other threats with a link that brings you to a site that might be a UVM-looking page (or not)?

The reason is simple: Your username and password opens a lock. Unlocking that lock permits the user onto the UVM network (from anywhere in the world), gives them access to your email, and may allow logins to other UVM systems with access to all the same information you have.

And if you happen to have used the same username and password on other sites there could be money at stake (your bank? Amazon?). Could be that they can access other information about you that can be used to set up an identity that looks, electronically, just like you and can open the door for medical fraud, financial fraud, and other cyber crimes that can haunt you just as you are about to buy a house, get your first credit card, and snag you during a background check for that job you always wanted.

Protecting something as simple as your NetID and password now can help you avoid these problems in the future.

We encourage you to STOP before entering in your password on a site that was linked in an email. STOP before reusing that same password on multiple sites. STOP before posting information about yourself that may hint at what your password is. (Fortunately, it’s easier to change your password than rename your dog.)

Then THINK about the possible implications of this action: Would anyone really close your account because you didn’t respond to one threatening email? What are the consequences of not entering your username and password?

Finally, CONNECT with the sender’s organization to find out whether the message was real or a scam. Work with your bank/retailer/organization to have more options than a simple username and password combo to access their services.

A little effort now can help you avoid future mayhem, or at least reduce the effort necessary to undo the damage when your username and password are compromised.

 

Darcy Pientka, for the Information Security Operations Team

Situational Awareness for Everyone

Posted: October 24th, 2014 by lzm

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

Paying attention to what is going on around you can go a long way toward keeping you and your data safe online.

We encourage you to STOP before automatically connecting to that open WI-FI hotspot.

Then THINK about both the name of the network you are connecting to — Is that actually the Starbucks WiFi network? — as well as the transactions you are performing over WiFi; make sure that any web transactions — especially shopping and banking — are only to secure web sites indicated by https:// in the URL instead of just http://. NEVER click through “invalid-” or “expired certificate” errors on shopping or banking or University websites.

Finally, CONNECT  with caution.

In addition to the caveats above, consider using a VPN to protect your data in transit over an open WiFi network. A VPN creates an encrypted tunnel between your computer and the VPN server, thus protecting your data.

Note: sslvpn.uvm.edu is available for use by any UVM affiliate.

 

Lynne Meeks, for the Information Security Operations Team

Traveling Abroad without Making the News (Mobile Tech Edition)

Posted: November 5th, 2013 by Sam

Occasionally, a member of the community approaches the ISO Team to ask for our advice on traveling safely with mobile technology. While individual circumstances (including the nature of the mobile technologies/data in play, the nature of the trip, the particular destination) will dictate specifics, our general recommendations (below) will cover a lot of ground for a lot of folks.

  1. Unless there is a tremendously-compelling reason to do otherwise, leave your normal work machine (with your years of research data, UVM/previous employer’s email, grant proposals, intellectual property, personal finances, countercultural rantings, etc.) at home and take a loaner machine (provided by your Helpful IT Folks) containing only the materials necessary for the trip.
  2. This loaner should be wiped and get a fresh OS install to keep from leaking data belonging to the *last* person who traveled with it…and to keep the new traveler from picking up any *ahem* latent “gifts” acquired by the last user. Set all installed browsers to clear all private data on session termination, and disable (browser-based) password storage.
  3. Make liberal use of webmail.uvm.edu, webfiles.uvm.edu, and sslvpn.uvm.edu while abroad.

These suggestions apply to smartphones/tablets/Google Glass/smart watches/any other device that stores data which could be 1) a liability to the university if lost or 2) embarrassing to the user if confiscated. Or data the export of which is controlled under ITAR rules. (Yes, that applies to Higher Ed.)

[Edit 8 November, 2013: It's worth considering, too, that not all travel destinations feature the robust freedoms of expression that we enjoy in the U.S., so feel free to substitute/append "...or could precipitate your detention if confiscated and found to be at variance with local law."]

Why incur this much potential inconvenience? One reason is that humans have a tendency to (subconsciously) downplay the risks inherent in the data they tote around on a daily basis, and while “safe” might cost them an extra few hours over their two-week trip, “sorry” can manifest in more…time-consuming ways.

Incidentally: Simply having the storage encrypted doesn’t suffice in a number of travel zones, as customs officials may be invested with the authority to compel the owner to unlock/decrypt it. (And encryption is illegal in certain jurisdictions.)

Want to share your own tips/travel-tech stories? Got questions? Need to chat about your specific circumstances? Please let us know! As usual, we can be reached at iso@uvm.edu.

 

Cheers,

Sam Hooker, for the ISO Team

How Do *You* Spell “Shutdown”?

Posted: October 2nd, 2013 by Sam

With so much (*ahem*) “excitement” in Washington this week, it’s little wonder opportunists would seize the moment and go on a domain-registration spree, seeking to capitalize on interest in these topics of nationwide scope. The incident handlers at the Internet Storm Center (sponsored by SANS) posted an entry to their Diary today entitled:

Obamacare related domain registration spike, Government shutdown domain registration beginning

Of course, not all of the activity referenced in that post will manifest as scams, but it’s worth keeping an eye out for variations on 0bamacare.com and federalshutdown.gov.premline.ru just the same. (I’m making those up; I haven’t seen the source data mentioned in the article, though would like to.)

Fitting that this should happen just in time for National Cybersecurity Awareness Month, eh?

 

Stay safe online,

Sam Hooker, for the Information Security Operations Team

P.S.: I’d call dibs on 0bamacare.com but, predictably, it’s already been registered…

Student Employees, their Laptops, and UVM Information

Posted: August 30th, 2013 by Dean

Where would UVM be without student employees?  University departments hire students  and other temporary employees for a wide variety of important jobs, and some of those jobs involve working with sensitive or confidential information.  As is true for regular faculty and staff, any work with Protected University Information (definitions of which are in the Information Security Policy and the Privacy Policy) should be done on UVM-owned equipment.  Laptops should have their hard drives encrypted.

What Can Go Wrong

There is a cost that comes with providing desktop computers or encrypted laptops for use by students and other temporary employees, but use of personally owned computers to access or work with Protected University Information presents an unacceptable risk, both to the University and to individuals whose personal information could  be exposed, through theft of other mishaps.  A theft is a personal tragedy for the owner, but it is potentially catastrophic for individuals whose personal information, present on the stolen device, is exposed and misused.  Students are victims of laptop theft much more often than University departments, and their laptops are unlikely to be encrypted.

The UVM Information Security Policy requires personally owned devices to be encrypted if they’ll be used for any Protected University Information, but that still leaves several possibilities of inappropriate data exposure, including the owner making unencrypted backups, backing up to a cloud service such as Dropbox, and the likelihood the owner will decrypt the device, without securely erasing the files, when UVM employment ends or when selling it off.

Avoiding Catastrophe

For those reasons, the Information Security Operations Team asks departments to:

  • insist that employees, especially temporary employees, do UVM work only on UVM equipment;
  • insist that only UVM email be used for messages containing Protected University Information (including not forwarding UVM email to a service like Gmail, in the absence of a suitable agreement with UVM);
  • require that files and email related to UVM work be stored only on University approved services like UVM SharePoint sites, network folders, or UVM-provided, encrypted external drives, rather than being stored in non-UVM services (e.g., DropBox, Carbonite).

Temporary employees could be required to sign off that they’ll comply.

Should anyone use a personally owned computer, tablet, phone, external drive, or other device for any Protected University Information, it must comply with UVM requirements for encryption, access, secure erasure, and so on, as described in the Information Security Policy and its Procedures.

Let’s Talk

Do you have a way of addressing temporary employees’ secure computing needs?  Please share it via the IT-Discuss or Security listservs, or by emailing the ISO Team at iso@uvm.edu.  Please contact the ISO Team if you have suggestions or concerns, or if you need help setting up temporary employees to work securely.

Is it ever okay to share my password?

Posted: July 9th, 2013 by Dean

One’s UVM password must never be shared with anyone — not even with trusted family members, the boss, or information technology personnel.  Our passwords protect our personal information and assets, and because we’re each responsible for all use of our accounts, keeping the passwords secret protects us from any liability for others’ actions.  Please report any attempt to obtain your password to the ISO Team at iso@uvm.edu.

Some UVM Net-ID accounts are provided for departments and recognized organizations.  While a carefully controlled small group of people may know the password to such an account, each person is responsible for all use of the account.   The password must be changed immediately when any member of the group leaves or changes roles.  Department accounts are sometimes used for managing external social media, such as Facebook and Twitter; the Social Media University Operating Procedure spells out registration and management of those account and passwords.

Additional Resources:

Computer, Communication, and Network Technology Acceptable Use policy [PDF]

Social Media University Operating Procedure [PDF]

“Ouch!” newsletter, May 2013, “Passwords

Why?security blog, May 21, 2013, “Please don’t make me change my password. It’s the one I use everywhere.”

Stolen Devices and the Inconvenience of Time Travel

Posted: June 11th, 2013 by Sam

Since the beginning of 2010, UVM Police Services has sought ETS’s help in 104 device-theft cases pertaining to UVM students, faculty, and staff. One recurring theme is that there are two simple steps that users can take to reduce the impact a stolen device has on themselves and the institution, and that these steps can only be taken before a laptop, tablet, phone, or portable storage device goes missing.

  1. Enroll your portable device (laptop, tablet, or phone) in a “locate-and-wipe” service (e.g., Apple’s “Find My iPhone/iPad/etc.”, the Prey Project, LoJack[1]). These programs sport features that run the gamut from simply reporting the device’s location to wiping all data from its storage and even taking pictures using the device’s camera. In the best cases, these can help authorities recover your stolen property; at the very least a successful remote wipe[2] can prevent the (ahem) “new owner” from having access to your UVM (or personal!) data indefinitely.
  2. Encrypt the device’s storage to prevent unauthorized access to the data contained within it. This is another way of keeping the new owner’s grubby mitts off your grading spreadsheets, personnel reports, family photos, saved Amazon password (which leads to your saved credit card info), etc. Besides: Section 16.1 of UVM’s Information Security Procedures states that, “Digital storage devices and media that contain Protected University Information must be encrypted…” This also applies to external hard disks containing your backups and any removable devices you use to store Protected University Information.

    Note that whole-disk encryption only provides meaningful protection if the device is powered off or hibernating[3] when it’s stolen. You can maximize this technology’s defensive value by powering off your laptop when you’ll be in transit for more than just a few minutes, or away from it in a public place[4].

These are powerful defenses against the ill effects of losing your device and the data on it, and people using them are measurably better-off when things “grow legs”. But remember:

These technologies can only help if you start using them before your device is stolen.

If you need help with these techniques, ask your friendly local UVM technology professional or contact the Information Security Operations Team for assistance by emailing iso@uvm.edu.

Cheers,

Sam Hooker, for the ISO Team

[1] Please note that not all technology staff at UVM will have experience with these services. This is meant as a list of alternatives for your investigation, and doesn’t imply that your local tech pro will be willing to support your use of a particular package. When in doubt, ask them first.

[2] I say “successful” because the device must be connected to the Internet somehow in order to receive the “tell us where you are” and “erase your data” commands. If the thieves erase the device and reinstall fresh software, it won’t phone home looking for such instructions. But hey: At least your data is probably gone…maybe…

[3] Laptops (and technology pros) make a distinction between “sleep” and “hibernation”. If you’re not sure how to get your hardware to hibernate, ask your pet technologist for help.

[4] But really, consider taking it with you. I promise that stashing it in your bag for that trip to the restroom is way less of a hassle than filling out police paperwork and wracking your brain trying to remember whether or not you logged out of online banking. Leave the power cord behind if it helps you feel better.

What is encryption, and why should I care?

Posted: June 4th, 2013 by Dean

Encryption protects the people whose information we collect and manage, while protecting UVM from significant liability.

Encryption encodes information in a way that only someone knowing a secret key can read it. If you store sensitive or confidential information — what UVM calls “Protected University Information”[1] — anywhere but on password-protected UVM servers, it must be encrypted. Laptops, smartphones, iPads, tablets, and even USB drives can be encrypted, often quite easily and conveniently.  The encryption requirement applies to backups and “temporary” storage as well.  For example, an external hard drive must be encrypted if it is used to transfer files containing Protected University Information from an old computer to a new one.

Need help? Contact the ISO Team at iso@uvm.edu.

[1] See UVM’s Information Security Policy: http://www.uvm.edu/policies/cit/infosecurity.pdf

Contact Us ©2010 The University of Vermont – Burlington, VT 05405 – (802) 656-3131