UVM's Information Security Operations Team answers "Why?" Why?security

Posts

Everything Old Is New, Again

UVM technology leaders and staff are monitoring the news around emerging global cybersecurity threats as a result of recent sanctions against Russia. We continuously engage with partners across Higher Education and in law enforcement to improve UVM’s defensive posture. As always, though, we need your help, and “the usual advice” is now more important than ever. Please…

…DO remain cautious of attachments and links that arrive via email.

About to click a link? Where does it go? Is the attachment from someone you know, or is it something you’re expecting? If not, and it’s practical to ask the sender via some other channel (phone? Teams?), do that. When in doubt, contact iso@uvm.edu for help. In the business of dealing with lots of attachments? Make sure you’re running current anti-malware protection. Having your devices managed makes this easy.

…DO be suspicious of any message demanding that you “verify your account” or otherwise provoking you with a sense of urgency.

Is the message threatening dire consequences for your digital access to UVM if you don’t act? It may be phishing: a social engineering attack designed to steal your access and your information (or UVM’s). Social engineering is a component of many major intrusions and breaches, and successful phishing makes it easier for attackers to succeed. Don’t make it easy for them to succeed. You can do your part to slow them down by making sure you only ever use your UVM credentials to access legitimate UVM sites. Need help determining what those are? Contact your technical support provider (ETS Client Services or LCOM Technology Services) for more assistance.

…DO be skeptical of unfamiliar errors arising on your computing devices.

Did an unusual error just pop up on your computer or mobile? Does it sound threatening or ominous? Does it contain a “click here for assistance” link or a phone number to call for help? Make a note of the exact error (write it down, take a screenshot, take a photo), and contact ETS Client Services or LCOM Technology Services. If there’s really something wrong, we can help. Sometimes, though, this is the result of “scareware” — an effort to frighten or intimidate you into paying money for snake oil tech support, or worse yet, allowing malicious parties to install software on your computer and remotely control it (see below).

…DO keep your computers and mobile devices up-to-date with the latest patches to operating systems and applications.

Computers run software, and software has flaws. All of it. The best thing we can do to protect ourselves from people trying to turn those flaws to their advantage is update our software when its flaws are found and patched. The operating system (OS) on all computers and mobile devices should be set to automatically update. Ditto all the applications or mobile apps in use. It’s especially important to keep any software that will interact with data from the internet — web browser, email program, productivity apps (we’re betting most of those attachments coming in via email are Word/Excel docs and PDFs), media players — current. Likewise anything you’re relying upon for security; most anti-malware tools rely at least in part on threat information collected by the vendor, so it’s critical to keep feeding that info into those tools as it’s made available. Again, ETS’s computer management is your friend.

…DO NOT allow anyone other than approved UVM support staff to remotely control any computer with access to UVM systems and data.

A “Tech Support attack” is particularly insidious, as it can result in directly granting the attacker access to your computer or mobile device. It generally starts in one of two ways: either they contact you, or you contact them.

In the former case, you get a phone call from someone purporting to be from a well-known company (Microsoft, maybe?) who claims that your computer/mobile has been observed doing something harmful on the internet, and they can fix it for you.

In the latter, an otherwise-innocuous piece of software or web page pops up a serious-looking error designed to prey upon your anxiety. Maybe it says your computer is somehow broken; maybe it claims to have found a terrible virus. But! It offers a way out! “Help” is available if you call the number presented on the screen.

Either way, when they call you or you call them, the person at the other ends asks for payment via credit card, and then they frequently require that you install special software on your device in order to fix the “issue”. The cursor moves around, some buttons are clicked, and they assert the “problem” is fixed. In all likelihood, there was nothing wrong. But there is now. The software they wanted installed allows them to remotely-control your device and/or copy your private data (or UVM’s private data) off the device so they can sell it or use it to extort money. They may even leave a parting gift of ransomware, adding insult to injury.

…DO ask questions if you’re unsure about an online interaction.

ETS’s Information Security Office exists not only to protect UVM, but to help UVM’s community protect itself. There are no “stupid questions”, and the increased sophistication of modern cybersecurity threats means that anyone could fall prey to attack. We’re here to help and teach, not to judge. Please feel encouraged to reach out with your questions or concerns by emailing iso@uvm.edu.

In this time of heightened tension, let’s act early on anomalies — unexpected “urgent” emails, novel errors, unexplained reboots. It’s easy to write these off as being the same little bumps in the road that have always existed in online life, and most of them are. Spotting the truly important ones is going to require each of us to be on the lookout. Computer did something weird? Check your gut, then get in touch if needed.

OK, there is something new…

Disinformation and misinformation online are a recognized threat at many levels. While differences of opinion and interpretation are the hallmarks of a vibrant intellectual community, there’s no place for bad-faith misdirection and outright lies. Our law enforcement partners have asked for early warning of disinformation and misinformation campaigns observed by our communities, especially in social media platforms. Please reach out to iso@uvm.edu if you observe something concerning in this vein.

When the Attacks Aren’t Just Cyberattacks

5 min. read

ISO intern Josh Baker contributed the “protecting others by protecting ourselves” theme to this article.

Others have eloquently addressed the injustice that is the ongoing Russian aggression against the people and the state of Ukraine; suffice it to say that no one deserves to be subject to physical violence, and we dearly hope that we soon see the Ukrainian people back in their homes and restored to peace, engaged in the challenge that is self-government by democratic means.

We are no experts in warfare here, but it seems that war has long been waged across the combatants’ full spectrum of capabilities. The addition of cyberattacks — whether designed to spread disinformation or destroy/take control of critical infrastructure like power and water supplies — represents a logical (if frustrating) progression of war’s malignancy. Reliable sources indicate that Russia has waged cyberattacks in its current campaign against Ukraine* and, as global governments move to pressure Russia into abandoning that campaign, many citizens (including leaders) are wondering whether Russia will use its cyberarsenal against their country or their organization in response.

* Attributing cyberattacks to a specific source is difficult and fraught with peril. Our recommendations here apply no matter who’s on the offensive.

Here at Why?security we’re almost always writing about how the UVM community can protect itself from online threats. What if, this time, we look at a few cyber hygiene basics in terms of how we can help others?

Protecting others by protecting ourselves

We can do some meaningful work to improve the cyber landscape, each of us making it just a little more difficult for any adversary to succeed in attacking both ourselves and others. Modern cyberattacks may be a study in variety with endless combinations of the old and the new, but there are a few common themes and we as individuals can actually exert control over two of them in particular. Let’s imagine these as two doors, and a cyberattacker must open at least one of them in order to succeed.

Door #1: unlocked, unguarded

Update your software. All of it. Run current versions of your applications. MS Word. Chrome. And your operating systems. Windows. macOS. Android. On all devices in your control. Laptop. Phone. Watch. Thermostat. Why?

All these devices run software, and all software has flaws. Some of these flaws can allow intruders to remotely control the devices, which means some of them can be turned into cyberweapons in an attack against you. Or your school. Or your town government. Or even someone else entirely. Like a country thousands of miles away that’s fighting for its life. Old, outdated software is like a door that’s cracked open and unwatched. Cyberattackers can waltz right through.

We can’t (yet) stop software from having these flaws, but we can address them by applying updates as soon as they’re available. Successful cyberattacks require an unbroken chain of events. Yes: Updating your web browser may just break that chain. And when enough of us do it, we limit the attackers’ options, increasing the chances that they’ll fail and we’ll win.

Door #2: locked, but…

Pay attention to the places you use your passwords. For your UVM NetID, that’s sites whose domain name ends in uvm.edu, and nowhere else.

Your NetID password secures an account that can do lots of things. Things that probably seem innocuous, like sending or receiving email. Email which can spread malicious software. Or try to harvest others’ passwords. Or sign up for a social account to publish disinformation or intimidation. We can be tricked — especially if we’re in a hurry — into giving away our passwords. That’s like having a locked door with someone on the inside letting in anyone who knocks.

Many of us — even those of us who feel confident we can’t be tricked — have a tendency to hurry when under pressure. And maybe skip steps. Like forgetting to check what site we’re on when entering our NetID and password. Attackers capitalize on this very human tendency by making us feel pressured. Your email will be shut off tonight. Your account will be suspended. You ordered this very expensive thing and we’re about to charge your card. And the message looks like it came from someone else at UVM.

Breathe.

Excellent. Now: Check the site you’re on. No uvm.edu? No NetID and password. Use a password manager; many will prompt for an extra confirmation if asked to fill a password into the wrong site. Find yourself at some other website trying to charm — or intimidate — your UVM password out of you? Window: closed. Threatening email: deleted. Chain: broken. We’re winning.

Is this saving Ukraine?

Directly? Maybe not. But if taking these small steps keeps some weapons out of the hands of cyberattackers, then maybe so. Take as many other meaningful, positive actions as you’re able: Make your voice heard, contribute resources, volunteer. But also guard Door #1 and Door #2, because a world where fewer cyberweapons are left lying around for use in conflict is a world where cyberwarfare won’t grow unchecked. And that’s meaningful too.

BOLO: COVID-themed Attacks

As COVID-19 continues to dominate the news cycle and daily life, the UVM Information Security Office would like the community to Be On the Look-Out (BOLO) for cyber criminals using COVID-19 as a theme for phishing emails, scams, and other attacks on the security of your information and that of the University.

These attacks could take the form of:

  • phishing emails regarding online learning or telecommuting, potentially providing a link to log in to an “online learning portal”;
  • fraudulent donation sites;
  • news hoaxes;
  • messages that look like they come from officials (such as WHO representatives or Red Cross workers) and ask for personal information or donations.

Remember: Be wary of any email or message that urges you to take swift action, plays on your fears, or involves money. Be skeptical of “UVM” communications coming from outside of the UVM community and remember not to enter your NetID credentials on non-UVM websites.

More information on these types of phishing attacks can be found at https://www.helpnetsecurity.com/2020/03/09/coronavirus-scams/ and more information on UVM’s response to COVID-19 can be found at https://go.uvm.edu/covid19.

Windows 7 Advisory

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

On January 14th, 2020, Microsoft support for Windows 7 will end, which means that version of Windows will no longer receive patches to fix bugs or security flaws.

Why is this happening?

End of life is the term used by Microsoft when they no longer support a system or service, often because it has become outdated. With the arrival of Windows 10, Microsoft began phasing out mainstream support for Windows 7 in January of 2015.

How does this affect me?

Failing to update to Windows 10 and continuing to run Windows 7 can leave users vulnerable to cyberthreats. With no more patches or updates to fix bugs and vulnerabilities, hackers can exploit these security flaws. Even if Microsoft or its users discover additional security flaws in Windows 7 after January 14th, it is likely that they will not be patched. Some attackers even be sitting on zero-days, a security flaw that is known with no patch, and waiting for the system end-of-life to exploit this vulnerability.

Updating your machines to Windows 10 will mitigate this risk.

How do I know which version of Windows I’m running?

By searching for “system information” in your start menu, you will be directed to a window with information on your system, including what version of Windows you’re running under “OS Name.”

What should I do now?

If you haven’t yet updated to Windows 10, it is important to do that in the coming weeks before the Windows 7 end of life. Encourage your friends, classmates, and your co-workers to do the same. If you are unable to upgrade, keep a close eye on your machine for unusual behavior in the weeks following the Windows 7 end-of-life and keep your anti-virus and security software up to date.

Help!

For more information or help upgrading to Windows 10, please visit or contact UVM’s Tech Team at tech.team@uvm.edu or www.uvm.edu/it/help.

“DUO” the Necessary Steps to Protect Yourself!

Enabling Multifactor Authentication

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

What is multifactor authentication? How do I use the DUO app? How do I lock down my passwords? If these questions keep you up at night, read on. If not, read on anyway; it’s important knowledge to have.

Multifactor authentication (MFA) is the practice of having two or more methods of verifying your identity when logging into an account. Entering your password is one method of verification, and others may include a text sent to your phone with a code, a security question, or even biometrics, like your fingerprint.

MFA types fall into three major categories: something you know, something you have, something you are.

A password or a security question is something you know. It doesn’t change often and is a piece of information that can be leaked or stolen. However, the second piece of authentication requires something you have (a one-time code) or something you are (fingerprint) to proceed. These are harder to get false access to without physically stealing your phone or stealing one of your fingers (in which case you’d have much bigger problems).

You’ve probably used multifactor authentication before—Google accounts often enforce it when you’re logging in on a new device.

Multifactor authentication helps protect your account by setting up several ways to verify that it’s really you logging into your account. That way, even if someone cracks your password, there is another, tougher layer of security for them to get through.

Multifactor Authentication at UVM

Here at UVM, some resources are protected by DUO Multifactor Authentication. With this tool and the free smartphone app, users are sent a one-time verification method to use alongside their login credentials. This verification can be sent as a push notification from the app (easiest method), or as the six-digit code provided in the app. This code can also be sent as a text message, through a landline phone, or even as a generated list of codes users can use when offline as well.

This method adds a second step to the login process and thwarts would-be attackers who may have your password, but do not have access to your phone. Multifactor authentication protects you, your information, and the University’s information.

However, beware if you receive a request in your DUO app that was not sent by you.  Sometimes, users can get a request and know they did not send a push notification to their mobile device (tablet or mobile phone). Denying the request is your best option; it could be someone else attempting to gain access to your account.

More information

To learn more about multifactor authentication here at UVM you can visit https://www.uvm.edu/it/kb/article/duo-multi-factor-authentication or read the Duo FAQ at https://www.uvm.edu/it/kb/article/duo-faq. We also made another blog post back in 2016 on the matter, which you can read here.

Go Phish!

Defeating phishing emails and securing your inbox

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

It’s 8am on a Monday morning. You pour yourself a cup of coffee and open your laptop to read all the emails you’ve been putting off since Friday afternoon.

This is you.

When you open your mail inbox, this message is waiting:

“Oh no!” you think. “Have I not been getting my emails? What does this mean?”

Hmm. Now this is interesting.

Before doing anything, however, it’s important to consider the threat of a phishing scam— an attempt to steal your UVM credentials (your NetID and password). A phishing scam often comes in the form of an email, perhaps one asking for you to enter your UVM credentials or offering a well-paying part-time job from a professor working overseas.

Often times, phishing scams will try to play off your emotions—such as a mail message threatening to delete your account, the idea of an easy side job, or a compromised UVM NetID. The goal is to get you to act fast, getting you to enter in your UVM credentials to solve the problem quickly without noticing the signs that the email you received isn’t actually legitimate.

It’s time to be a detective!

Here are some things to look for when you see a suspicious message:

  1. Check the email subject. Has it been left blank? Is it vague? Does it use a “scare-tactic” to get you to act fast? Do you feel pressured?
  2. Who is it being sent by? Is it not a UVM email? Is it someone you don’t know? If it is someone you know, is it a strange request for them to have?
  3. Where are the links going to? Any email that asks you to enter your UVM password on a non-UVM web site is a phishing scam. UVM will never ask you to enter your UVM NetID and password on a non-UVM web page—even if it looks like a UVM page, and even if it’s on a reputable site, such as Google Docs, or if it contains UVM graphics and you’ve been directed there by an email that appears to come from a UVM email address. Remember: The UVM Tower logo or any related graphic is not a guarantor of legitimacy.

For example, this email here is directing users to a Weebly site, and by mousing over the link, you can see where the link will take you without clicking.

  1. Does the email have strange capitalizations or odd grammar and spelling? Is there no greeting or sign off? Does the signature not match the email sender?
  2. Is money involved? Do they want me to help them pass checks or move money with the promise of payment afterward?
This email here contains the strange formatting and the promise of money. It’s a scam!
  1. Ask your friends. Does the email seem like a scam to them? Sometimes, taking a step back from the situation can help you think more clearly.
“Harold, that’s not from UVM! They’ll never ask for you to enter your credentials on a non-UVM page!”

If you’re even unsure about the legitimacy of a message, you can contact the Computing Help Line at 656-2604, or submit a help request online. You can also directly contact the party involved by directly mailing the organization or office the email is purporting to be from, but not by replying to the suspicious email. Instead, use the email you have on file for the organization or the one they display publicly on their website.

You can also report phishing emails by forwarding the phishing email with full headers to abuse@uvm.edu. (To forward a message with headers, please see https://www.uvm.edu/it/kb/article/forwarding-full-mail-headers)

What to do if you’ve fallen for a phishing scam

Time to call the UVM Computing Helpline!

If you’ve followed the link in the message, or replied to this email or one like it, you should change your password immediately at www.uvm.edu/account. Contact the UVM Computing Helpline if you need assistance changing your password. You should also change any similar passwords to your UVM password.

More info

For more information about phishing scams, view our Web page on protecting your NetID and password

Yahoo! You’re now ready to conquer the inbox!

Protecting Your NetID Password

You’ve probably heard by now that UVM has been subject to a computer system intrusion that has the potential to result in the malicious use of UVM NetIDs and passwords. Here’s the crux of the announcement:

The University has no indication that personally identifiable information has been accessed or compromised. Nonetheless, the University is taking the proactive step of requiring that ALL passwords be changed immediately and no later than 4:30 PM on Thursday, May 24.  Accounts with passwords that have not been changed by this time will receive an additional notification, will have their passwords expired, and a change will be required before the account can be used again.

Ongoing monitoring of the University’s computer systems resulted in early detection of this system intrusion, which improved our ability to implement protection and mitigation strategies. The University continues to work with law enforcement and information security experts to investigate and address the intrusion.  Users are asked to be extra vigilant with their computer use and report any suspicious activity to abuse@uvm.edu.

For more information you can read the full announcement and an up-to-date FAQ.

While no one likes maintaining passwords, they remain an important part of the security infrastructure at UVM and our peer institutions. We’ve recently implemented Multifactor Authentication for access to our most sensitive services, such as PeopleSoft, VPN (Virtual Private Network), and Virtual Desktop Infrastructure, and we may protect more systems with MFA in the future. Even with MFA in place and our strong password standards, you can help protect yourself and the University by following these guidelines:

  1. The longer the password, the more difficult it will be to crack. UVM NetID passwords are required to be at least 12 characters long, but longer is better. You can use even use a phrase, or a string of random words, e.g. ‘owls are my favorite flying Things.’, or ‘house caterpillar verify peanut’.
  2. The more character sets used, the more secure the password. Different character sets include:
    • upper case letters (A B C D)
    • lower case letters (a b c d)
    • numbers (1 2 3 4)
    • punctuation or other symbols (! @ # $)

    UVM NetID passwords require at least two different character sets, but more is better.

  3. The more complex a password is, the more difficult to guess. Complex passwords are:
    • not based on single words found in the dictionary, in any language
    • not words spelled backwards, common misspellings or abbreviations
    • not sequences (12345678) or repeated characters (22222222)
    • not common mathematic sequences and series like Fibonacci numbers, Pi, or prime numbers
    • not keyboard layout sequences (QWERTYPOIU, qazwsxedc or similar)
    • not dates like birthdays or anniversaries
    • not personal information like names of friends, relatives, pets or children
    • not another unique identifier like your Social Security Number, student ID number, bank PIN, driver’s license number or passport number

An ideal password is one that is easy for you to remember, impossible for a human to guess, and more difficult for a computer to crack. While UVM stores passwords in a strongly encrypted form, attackers could potentially leverage the computational power of botnets and modern supercomputers to crack weaker passwords with relative ease.

Using a string of random words is a great alternative to remembering a string of gibberish (or choosing a weak password):

Image: xkcd—a webcomic of romance, sarcasm, math, and language (Creative Commons BY-NC 2.5)

A few other tips:

  1. Use a password keeper. You’ll only need to remember your master password, and most password keepers can generate strong passwords for you that you won’t need to remember. Many password keepers integrate with your web browser so you don’t even need to type the passwords to use them. Among the password keepers used by IT staff at UVM are LastPass, Dashlane, KeePass, and 1Password. While we don’t support or endorse a specific password keeper at this point, they represent a mature technology that is reliable, secure, and convenient.
  2. Don’t use your UVM password anywhere else. This is the main reason we require annual password changes- if another password database has been breached (such as those at Yahoo!, eBay, and Adobe) and users have used the same password there that they do at UVM, eventually the attackers will discover that they have working UVM credentials.
  3.  No passwords on sticky notes! (No, really. It’s 2018.)
  4. Take steps to protect yourself from malware and phishing scams. Keylogger malware, which captures your keystrokes and passes them along to malicious actors, is a common source of compromised credentials. Keep your antivirus software up to date and don’t visit any dubious websites. Be sure to check the URL bar of your browser any time you’re entering your UVM credentials into a website (even if it looks familiar); make sure you’re always at uvm.edu/.

 

 

Being “Smart” With Your Smartphone

Last month was National Cyber Security Awareness Month.  To keep you thinking about security, this is the third of four tips based on current hot topics at the university.

Being “Smart” With Your Smartphone

Chances are if you have a smartphone you know what a useful tool it can be and chances are even greater using it as a “phone” constitutes a small percentage.  With that in mind, we offer some tips to help you stay secure:

  • Stay up-to-date with software updates.  We know that change is hard and often not welcome, but updates usually include important security fixes that ensure the information you enter, access, and store in your smartphone stays secure.
  • Set a passcode.  It doesn’t have to be a combination of 23 letters, numbers, and special characters.  Even just enabling the passcode enables important security features, such as encrypting the data on the phone so that only someone with the correct passcode can decrypt it.  A four-digit passcode is a start, but even better is something simple that adds a bit of complexity yet is easy to type on a tiny virtual keyboard.  Examples: 37Snowflake or Freefall28
  • App Stores.  Sticking with the native app stores, such as the Apple App Store or Google Play Store, will help to ensure that the apps you install don’t contain any password-stealing malware.  There are examples of simple game apps stealing information from your phone and sending it off to the Internet while you’re playing the game.
  • Loss/Theft: Subscribe to the “find my device” service for your particular phone.  By doing this, if you do lose your phone, you’ll have multiple options for locating the device, sending a message to it, or even erasing it remotely.

 

The Password Is Dead: Long Live…Anything Else!

Executive Summary

[read time: approx 1.5 min.]

Passwords by themselves are no longer sufficient for protecting your information and UVM’s information from everyday attacks. UVM is moving to require multi-factor authentication (MFA) to protect the most critical information at first, and all of the university’s online assets in the long run.

This means that logging into certain online services provided by UVM’s Enterprise Technology Services (ETS) will require something in addition to your password, similar to many online banking applications. ETS is starting this process with PeopleSoft in October and November of 2016. A very simple, free smartphone app called Duo Mobile is the recommended method (really, the only one which will scale to the size of UVM’s entire population) and is anticipated to satisfy the needs of the vast majority of UVM users. There are other options; they’re reserved for cases where use of the Duo Mobile app is impossible or its use otherwise presents extreme hardship.

The Details

[read time: approx. 8 min.]

For a long time and for a lot of people, “information security” has meant of a stream of Don’ts* and basically only one Do: Create a “strong” password and keep it secret. This approach meant that we IT professionals had to repeatedly connect with our public (something we know you love) as the threats evolved and the definition of “strong” evolved with them. Until now, this translated into ever-more-complicated requirements resulting in a completely unmanageable stable of passwords for accessing your digital life. And maybe “stable” is the wrong word, since one of those requirements is that you change most of your passwords at varying intervals. It drives you crazy, it drives us crazy, and in the modern era the password doesn’t even do what it’s supposed to any more.

* Don’t open that email. Don’t click on that link. Don’t visit that website. Don’t …, don’t …, etc.

What is a password supposed to do, anyway?

My password is a little secret, shared only between me and some computer service, which is supposed to prove that I am who I claim to be.

That’s it.

I show up at some speakeasy on the internet and knock on the heavy steel door. The bouncer inside slides that little metal peep cover aside and says (in a 1920s Bronx accent), “Who’s dere?” “sthooker,” I say. “What’s the passwoid?” she asks. “******************,” I respond. (Clever, right?) And if that is in fact sthooker’s password, I’m in. And everybody inside thinks I’m sthooker. What could possibly go wrong?

Aye, there’s the rub.

Our little speakeasy analogy is slightly flawed: First, there’s no intelligent human bouncer who could recognize my appearance through that peephole or recognize my voice through the door. It’s more like I slip a punch card under the door containing “sthooker” and “******************” and a computer rather undramatically either opens the door or doesn’t. Also, the establishment is no longer a speakeasy; now it’s a Special Library containing every piece of information — academic, financial, personal, and health-related information pertaining to myself and anyone else — that I handle in my role at UVM.

And now we come to the problem with passwords: Anybody else with the same punch card can show up and enter the Special Library claiming to be me. And our bouncer can’t tell the difference.

Put another way: My password is reusable. This means that if someone captures my password — whether by infecting a device of mine with keystroke-logging malware or by tricking me into revealing it to them — they can use it over and over again, just like I can. That’s right: It doesn’t change often enough. (I know — we make you change your password once per year, and that’s too often.) But in order to effectively counter current threats, the password would need to change every time I used it.

That sounds like a lot of work. Besides: Who would pretend to be me?

Perhaps disappointingly, it’s probably not about you or me, per se. Our UVM NetIDs give us access to a number of Hot Commodities. Commodities like…

  • …private information about us, some of which could be used to fraudulently open financial accounts in our names (remember the Special Library?);
  • …the ability to see and change where our paychecks are deposited (if you work here; this includes student employees);
  • …some or all of our academic and research data;
  • …private information about other people (students under our tutelage, employees in our charge);
  • …a reputable spot on the US internet, which is useful if you’re a criminal operator attacking American networks or American businesspeople. (Yes, the Bad Guys frequently hijack UVM accounts just so they can turn around and victimize someone else, somewhere else.)

This is quite a potential trove, considering the relative ease of acquiring someone’s password.

So this is serious. How do we fix it?

Easy: We tell our bouncer to demand something else in addition to a password before she believes anything the person knocking on the door says.

Oh! Like “Security Questions”?

Not exactly. Security questions suffer the same weakness as passwords: They’re both something I know which does not change (often enough). What we really want is for our additional element of proof (called an authentication factor) to be something I have, or even something I am so that even if someone captures that Something I Know (the password), they can’t get in without having the Something I Have or being the Something I…well, me.

In implementing multi-factor authentication (MFA) we’ve increased the amount of work the Bad Guys need to do in order to access my Special Library: Perhaps they’ve already done some work (albeit only a little) to get that Something I Know, but now they have to either acquire the Something I Have or convincingly impersonate me*. These days, the Bad Guys are in business, and now it suddenly costs more to access my Special Library — especially considering many criminal gangs operating in this space seem to be based overseas. It may be cheap for them to send a few emails and phish my password, but it’s probably much more expensive to send someone to steal something from me (such as my smartphone). At this point, most run-of-the-mill Bad Guys move on to softer targets. This is not to say no one will ever expend significant effort to target you specifically, but the likelihood is lower (see ego-deflating “it’s not about you” commentary, above) and information security is a game of reducing or minimizing risk; we can very rarely eliminate risk entirely.

* We’re not talking about accents and disguises, here; they’d need to “impersonate me” in a way that computers care about — mostly high-contrast features of my person which sensors can pick up in either the visible or infrared spectra, e.g. the patterns of blood vessels in one of my hands or on one of my retinas. Read up on biometric authentication for more information.

Additionally: Recall that the main problem with the password all by itself is that it it reusable. It would be best if our second authentication factor took care of changing itself after each use. The Duo smartphone app does this for me. It’s something I have, and there are machinations behind the scenes which ensure each access token is usable only once. In other words, if someone somehow intercepts my password and my Duo access token as I’m using them, they can not use what they’ve captured over and over again to access the Special Library.

So I can ditch my password now and just use this other thing?

No, not yet. If we did that, someone with the means to steal (or even borrow) your phone could access your Special Library using only Duo Mobile. You want (at least) two factors working together.

Can’t I just do “Security Questions” instead?

Nope.

Drat.

Sorry.

So, this is it, right? Problem solved, right? No more annoying security things to do after this one?

Sadly, it’s not likely to be the great Eternal Security Silver Bullet everyone hopes for. (Nothing is.)

Multi-factor authentication improves our protections tremendously over the lowly (and lonely) password, and will probably be enough of a deterrent to drive cost-conscious Bad Guys away from you and UVM (for now) in search of easier pickings. But defending UVM’s community from these attacks mirrors any other parasite-host relationship: As we (the host) improve our defenses, the Bad Guys (the parasites) will improve their attacks. As a famous monarch once said, “Now, here, you see, it takes all the running you can do, to keep in the same place.

Is there anything else I need to do?

If you don’t already have a strong passcode or biometric (like the fingerprint readers on various Android devices or Apple’s TouchID) protecting your mobile device, now is the time. Additionally, Duo Mobile defaults to allowing anyone in possession of the device to approve login requests without unlocking that device: It would be prudent to disable that feature.

Finally: Be suspicious of any Duo request that shows up when you’re not expecting it. That could be a sign that someone, somewhere has captured your password and is trying to use it right now. Your last line of defense between that Evil-Doer and your Special Library is Duo Mobile’s red Deny button. If you Approve unexpected requests, you could be letting the Bad Guys in — and all this work was for naught.

ETS’s official documentation on multi-factor authentication is available at https://go.uvm.edu/mfa and https://go.uvm.edu/mfafaq.

If you have questions or concerns, email them to iso@uvm.edu.

Sam Hooker, for the Information Security Operations Team

Email – take it or leave it?

October is National Cyber Security Awareness Month. This is the first of four timely tips based on current hot topics at the university.

Email – take it or leave it?
Email is a useful tool for communication but is also the most popular way that problems can be easily brought into our University Community. Some quick tips to protect yourself, your data, and your reputation as well as that of the University are:

  • Be suspicious – Does it sound too good to be true? It is. Does it feel like you are being excessively pressured? You are. Does it sound weird, look weird, have grammar or spelling mistakes? It’s a fake.
  • Think About the Link – email links that go to strange places are the quickest way to get someone to go to an illegitimate site and mistakenly enter their credentials. Hover over the link (but don’t click) and see if it really goes to a uvm.edu site. Many times they don’t and should be reported as phish.
  • Attachments – were you expecting that email with a document from that person? Lots of bad software can come into our community through attachments. Your best bet is to not open or forward an attachment that you were not expecting.
  • Report it – think you just received a phish or scam? Report it by sending the message as an attachment to abuse@uvm.edu
  • Call – if you can’t tell whether a message is real or not, go for the low tech solution and call the sender by independently finding their phone number via their official website (don’t use the one that was sent in the email message!)

Hopefully tips like these will help you stay safe at home or work!

Skip to toolbar