UVM's Information Security Operations Team answers "Why?" Why?security

Posts

Being “Smart” With Your Smartphone

Last month was National Cyber Security Awareness Month.  To keep you thinking about security, this is the third of four tips based on current hot topics at the university.

Being “Smart” With Your Smartphone

Chances are if you have a smartphone you know what a useful tool it can be and chances are even greater using it as a “phone” constitutes a small percentage.  With that in mind, we offer some tips to help you stay secure:

  • Stay up-to-date with software updates.  We know that change is hard and often not welcome, but updates usually include important security fixes that ensure the information you enter, access, and store in your smartphone stays secure.
  • Set a passcode.  It doesn’t have to be a combination of 23 letters, numbers, and special characters.  Even just enabling the passcode enables important security features, such as encrypting the data on the phone so that only someone with the correct passcode can decrypt it.  A four-digit passcode is a start, but even better is something simple that adds a bit of complexity yet is easy to type on a tiny virtual keyboard.  Examples: 37Snowflake or Freefall28
  • App Stores.  Sticking with the native app stores, such as the Apple App Store or Google Play Store, will help to ensure that the apps you install don’t contain any password-stealing malware.  There are examples of simple game apps stealing information from your phone and sending it off to the Internet while you’re playing the game.
  • Loss/Theft: Subscribe to the “find my device” service for your particular phone.  By doing this, if you do lose your phone, you’ll have multiple options for locating the device, sending a message to it, or even erasing it remotely.

 

The Password Is Dead: Long Live…Anything Else!

Executive Summary

[read time: approx 1.5 min.]

Passwords by themselves are no longer sufficient for protecting your information and UVM’s information from everyday attacks. UVM is moving to require multi-factor authentication (MFA) to protect the most critical information at first, and all of the university’s online assets in the long run.

This means that logging into certain online services provided by UVM’s Enterprise Technology Services (ETS) will require something in addition to your password, similar to many online banking applications. ETS is starting this process with PeopleSoft in October and November of 2016. A very simple, free smartphone app called Duo Mobile is the recommended method (really, the only one which will scale to the size of UVM’s entire population) and is anticipated to satisfy the needs of the vast majority of UVM users. There are other options; they’re reserved for cases where use of the Duo Mobile app is impossible or its use otherwise presents extreme hardship.

The Details

[read time: approx. 8 min.]

For a long time and for a lot of people, “information security” has meant of a stream of Don’ts* and basically only one Do: Create a “strong” password and keep it secret. This approach meant that we IT professionals had to repeatedly connect with our public (something we know you love) as the threats evolved and the definition of “strong” evolved with them. Until now, this translated into ever-more-complicated requirements resulting in a completely unmanageable stable of passwords for accessing your digital life. And maybe “stable” is the wrong word, since one of those requirements is that you change most of your passwords at varying intervals. It drives you crazy, it drives us crazy, and in the modern era the password doesn’t even do what it’s supposed to any more.

* Don’t open that email. Don’t click on that link. Don’t visit that website. Don’t …, don’t …, etc.

What is a password supposed to do, anyway?

My password is a little secret, shared only between me and some computer service, which is supposed to prove that I am who I claim to be.

That’s it.

I show up at some speakeasy on the internet and knock on the heavy steel door. The bouncer inside slides that little metal peep cover aside and says (in a 1920s Bronx accent), “Who’s dere?” “sthooker,” I say. “What’s the passwoid?” she asks. “******************,” I respond. (Clever, right?) And if that is in fact sthooker’s password, I’m in. And everybody inside thinks I’m sthooker. What could possibly go wrong?

Aye, there’s the rub.

Our little speakeasy analogy is slightly flawed: First, there’s no intelligent human bouncer who could recognize my appearance through that peephole or recognize my voice through the door. It’s more like I slip a punch card under the door containing “sthooker” and “******************” and a computer rather undramatically either opens the door or doesn’t. Also, the establishment is no longer a speakeasy; now it’s a Special Library containing every piece of information — academic, financial, personal, and health-related information pertaining to myself and anyone else — that I handle in my role at UVM.

And now we come to the problem with passwords: Anybody else with the same punch card can show up and enter the Special Library claiming to be me. And our bouncer can’t tell the difference.

Put another way: My password is reusable. This means that if someone captures my password — whether by infecting a device of mine with keystroke-logging malware or by tricking me into revealing it to them — they can use it over and over again, just like I can. That’s right: It doesn’t change often enough. (I know — we make you change your password once per year, and that’s too often.) But in order to effectively counter current threats, the password would need to change every time I used it.

That sounds like a lot of work. Besides: Who would pretend to be me?

Perhaps disappointingly, it’s probably not about you or me, per se. Our UVM NetIDs give us access to a number of Hot Commodities. Commodities like…

  • …private information about us, some of which could be used to fraudulently open financial accounts in our names (remember the Special Library?);
  • …the ability to see and change where our paychecks are deposited (if you work here; this includes student employees);
  • …some or all of our academic and research data;
  • …private information about other people (students under our tutelage, employees in our charge);
  • …a reputable spot on the US internet, which is useful if you’re a criminal operator attacking American networks or American businesspeople. (Yes, the Bad Guys frequently hijack UVM accounts just so they can turn around and victimize someone else, somewhere else.)

This is quite a potential trove, considering the relative ease of acquiring someone’s password.

So this is serious. How do we fix it?

Easy: We tell our bouncer to demand something else in addition to a password before she believes anything the person knocking on the door says.

Oh! Like “Security Questions”?

Not exactly. Security questions suffer the same weakness as passwords: They’re both something I know which does not change (often enough). What we really want is for our additional element of proof (called an authentication factor) to be something I have, or even something I am so that even if someone captures that Something I Know (the password), they can’t get in without having the Something I Have or being the Something I…well, me.

In implementing multi-factor authentication (MFA) we’ve increased the amount of work the Bad Guys need to do in order to access my Special Library: Perhaps they’ve already done some work (albeit only a little) to get that Something I Know, but now they have to either acquire the Something I Have or convincingly impersonate me*. These days, the Bad Guys are in business, and now it suddenly costs more to access my Special Library — especially considering many criminal gangs operating in this space seem to be based overseas. It may be cheap for them to send a few emails and phish my password, but it’s probably much more expensive to send someone to steal something from me (such as my smartphone). At this point, most run-of-the-mill Bad Guys move on to softer targets. This is not to say no one will ever expend significant effort to target you specifically, but the likelihood is lower (see ego-deflating “it’s not about you” commentary, above) and information security is a game of reducing or minimizing risk; we can very rarely eliminate risk entirely.

* We’re not talking about accents and disguises, here; they’d need to “impersonate me” in a way that computers care about — mostly high-contrast features of my person which sensors can pick up in either the visible or infrared spectra, e.g. the patterns of blood vessels in one of my hands or on one of my retinas. Read up on biometric authentication for more information.

Additionally: Recall that the main problem with the password all by itself is that it it reusable. It would be best if our second authentication factor took care of changing itself after each use. The Duo smartphone app does this for me. It’s something I have, and there are machinations behind the scenes which ensure each access token is usable only once. In other words, if someone somehow intercepts my password and my Duo access token as I’m using them, they can not use what they’ve captured over and over again to access the Special Library.

So I can ditch my password now and just use this other thing?

No, not yet. If we did that, someone with the means to steal (or even borrow) your phone could access your Special Library using only Duo Mobile. You want (at least) two factors working together.

Can’t I just do “Security Questions” instead?

Nope.

Drat.

Sorry.

So, this is it, right? Problem solved, right? No more annoying security things to do after this one?

Sadly, it’s not likely to be the great Eternal Security Silver Bullet everyone hopes for. (Nothing is.)

Multi-factor authentication improves our protections tremendously over the lowly (and lonely) password, and will probably be enough of a deterrent to drive cost-conscious Bad Guys away from you and UVM (for now) in search of easier pickings. But defending UVM’s community from these attacks mirrors any other parasite-host relationship: As we (the host) improve our defenses, the Bad Guys (the parasites) will improve their attacks. As a famous monarch once said, “Now, here, you see, it takes all the running you can do, to keep in the same place.

Is there anything else I need to do?

If you don’t already have a strong passcode or biometric (like the fingerprint readers on various Android devices or Apple’s TouchID) protecting your mobile device, now is the time. Additionally, Duo Mobile defaults to allowing anyone in possession of the device to approve login requests without unlocking that device: It would be prudent to disable that feature.

Finally: Be suspicious of any Duo request that shows up when you’re not expecting it. That could be a sign that someone, somewhere has captured your password and is trying to use it right now. Your last line of defense between that Evil-Doer and your Special Library is Duo Mobile’s red Deny button. If you Approve unexpected requests, you could be letting the Bad Guys in — and all this work was for naught.

ETS’s official documentation on multi-factor authentication is available at https://go.uvm.edu/mfa and https://go.uvm.edu/mfafaq.

If you have questions or concerns, email them to iso@uvm.edu.

Sam Hooker, for the Information Security Operations Team

Email – take it or leave it?

October is National Cyber Security Awareness Month. This is the first of four timely tips based on current hot topics at the university.

Email – take it or leave it?
Email is a useful tool for communication but is also the most popular way that problems can be easily brought into our University Community. Some quick tips to protect yourself, your data, and your reputation as well as that of the University are:

  • Be suspicious – Does it sound too good to be true? It is. Does it feel like you are being excessively pressured? You are. Does it sound weird, look weird, have grammar or spelling mistakes? It’s a fake.
  • Think About the Link – email links that go to strange places are the quickest way to get someone to go to an illegitimate site and mistakenly enter their credentials. Hover over the link (but don’t click) and see if it really goes to a uvm.edu site. Many times they don’t and should be reported as phish.
  • Attachments – were you expecting that email with a document from that person? Lots of bad software can come into our community through attachments. Your best bet is to not open or forward an attachment that you were not expecting.
  • Report it – think you just received a phish or scam? Report it by sending the message as an attachment to abuse@uvm.edu
  • Call – if you can’t tell whether a message is real or not, go for the low tech solution and call the sender by independently finding their phone number via their official website (don’t use the one that was sent in the email message!)

Hopefully tips like these will help you stay safe at home or work!

Ransomware Alert

A new form of malware is making its way to the University of Vermont: Ransomware is a particular form of malicious software which prevents you from accessing your own data.  Once the software has locked down any data to which you have access, it demands that you pay a ransom in order to have access restored.

To avoid ransomware and/or reduce its impact, take the same precautions you’re already taking to avoid malicious software attacks:

  • Make sure all critical files are backed up. If you use files.uvm.edu, data is already backed up for you. However, anything stored on your desktop or laptop hard drive, removable media, or other file services could be at risk and should be backed up before you suffer an attack.  If you are unsure about backups, check with your local IT person.
  • Slow down and scrutinize all email with attachments.  Are you expecting this particular email and this specific attachment? If in doubt, call the sender and ask.
  • Disable macros when opening Microsoft Office documents (Word, Excel, etc.). Most files will work without them. Seek help, otherwise.
  • If you receive an email from yourself with an attachment, and you do not recall sending the email, do not open the attachment. This trick has been a particular favorite in cases we have observed.

If you think you may be the victim of a ransomware attack, take the following steps:

  • Shut down your machine and disconnect from the network to limit the scope of damage.
  • Do not pay the ransom. There’s no guarantee that paying will get your data back.
  • Contact your local IT person. They will help you triage the problem and will escalate to the Information Security Operations Team as appropriate.

Enterprise Technology Services continues to update its safeguards against these attacks and others but the malware changes rapidly and can sometimes evade detection long enough to arrive in your Inbox. Your vigilance is our last line of defense against this kind of attack.

If you have questions or concerns, get in touch with the Information Security Operations Team at iso@uvm.edu.

Income Tax Fraud: How to Protect Yourself

Nationwide, many taxpayers have attempted to file their federal and state income tax returns, only to find out that criminals have already filed fraudulent returns and claimed refunds.  The Vermont Department of Taxes explains:  

Refund fraud occurs when a criminal uses stolen identification of a taxpayer, including Social Security Number, to create a phony return.  Often the criminal will use software to generate fraudulent returns in multiple states using the same stolen identification. Identity theft is a well-known problem, and can result from a data breach, scam, or loss of a wallet.

Last year, the IRS reported 875,000 cases of tax identity theft, and news reports indicate that fraud continues at a high rate this tax season.   UVM is aware of fewer than two dozen employees who have been victims of this type of fraud.  There are numerous potential sources of the personal information needed to file a tax return, and investigations into the cases reported by UVM employees, which are continuing, have not shown evidence of a compromise of UVM databases or information systems.  Stolen personal information, such as Social Security numbers stolen in widely reported corporate breaches, is readily available in underground marketplaces, and finding additional information such as employer EINs is facilitated by free online databases.  

How to Protect Yourself

If you’re notified by the IRS or a state tax department that someone has filed a fraudulent tax return in your name, take these steps to  resolve the issue and protect yourself: 

  • Follow the steps suggested by the IRS and the Vermont Department of Taxes, including: 
    • File a report with law enforcement (your local police department) 
    • File a complaint with the Federal Trade Commission 
    • Respond immediately to any IRS notice 
    • Complete IRS Form 14039, Identity Theft Affidavit 
    • Continue to pay your taxes and file your tax return, even if you must do so by paper 
    • Contact one of the three major credit bureaus to place a fraud alert on your credit records 
    • Notify UVM’s Information Security Operations Team at iso@uvm.edu, or UVM Police Services 
  • You may also want to: 
    • Contact your financial institutions, and close any accounts opened without your permission or tampered with
    • Check your Social Security Administration earnings statement annually 

If you’ve been notified by a company or organization that your personal information has been compromised, even if you’re not a victim of tax return fraud, follow the steps above with the exception of the IRS-specific items.  

Additional sources of information and guidance: 

Identity Theft (UVM Police Services)

Tax-Related Identity Theft (Federal Trade Commission)

What to Do if Someone Has Already Filed Taxes Using Your Social Security Number (Intuit) 

IRS Tackles Tax Identity Fraud (Wall Street Journal) 

IRS Struggles to Help Victims of Identity Fraud (Fiscal Times) 

Please contact the Information Security Operations Team at iso@uvm.edu with any questions, concerns, or suggestions.  

Passphrases and multifactor authentication

IT Colleagues,

If you find yourself challenged to help those whose IT needs you support understand the importance of strong passwords, how to choose one, or why to use unique passwords, this month’s OUCH! newsletter may be useful.  You can download it from securingthehuman.org [1].

The newsletter also covers two-step verification or multi-factor authentication (MFA) [2].  While passwords are a single factor (a secret you know), MFA adds factors that someone who’s stolen your password won’t have: something you possess, something you are (a physical characteristic), or somewhere you are (a location or a trusted device).  Most people have experienced MFA with ATMs or online banking, and for good reason: it’s way too easy to steal passwords, either through social engineering or device compromise (e.g., key loggers).   A strong password is no defense against those threats.

Multi-Factor Authentication at UVM 

At UVM, we’re on track for a record year of Net-ID password compromises (95 so far in 2015, compared to 61 in the first three months of 2014, 350 in all of 2014, and 102 in 2013).   Compromised accounts are most often used to send spam, but more dangerous uses have been seen, with potentially catastrophic consequences for UVM and for the information resources, often very personal and sensitive, that we’re entrusted to manage.

With the diminishing effectiveness of passwords, UVM needs to expand our use of MFA.  People have been using RSA SecurIDs for access to Banner and some VPNs for a long time, making it all but impossible to access those systems with a stolen password.

The PeopleSoft system is next.  The recently implemented switch to using Webauth to log in to PeopleSoft has laid the foundation for MFA for that system.  SecurIDs will be supported, but most people who don’t already have SecurIDs will be able to choose several alternatives, including a USB key fob from Yubico, a smartphone app (Duo Mobile), a text message, and even a phone call.   A pilot population is using MFA with PeopleSoft now, and discussions with data stewards and affected groups will determine the roles that will be required to use MFA, and who will be able to opt in.

In the mean time, I hope this month’s OUCH! newsletter will shed some welcome light on good passwords and multi-factor authentication.

[1] http://www.securingthehuman.org/ouch/ 

[2] http://en.wikipedia.org/wiki/Two_factor_authentication 

Best regards,

Dean Williams

Information Security Officer

Enterprise Technology Services

Dean.Williams@uvm.edu | 802-656-1174  

Find information security news, best practices, and how to report concerns on the UVM Computing Web site:

http://www.uvm.edu/it/security

The time for Encryption and Workstation Management is Now

IT Colleagues,

Protecting the huge variety of information the University collects and manages is everyone’s responsibility.  For those of us with IT roles, people whose IT needs we support look to us to provide safe and secure ways to manage information.  The need is particularly critical when it comes to protecting personal and private information on students, employees, research subjects, and other affiliates.  No one wants to be responsible, even by accident, for exposing personal information that could cause harm to individuals, impact UVM’s reputation, and incur significant costs.

As IT people, it’s our responsibility to help others work securely, including implementing critical laptop and “desktop” protections such as encryption and domain joining.  Some protections are mandated by policy, and others are best practices.  ETS can help.

How We Need to Help

One of the most important ways we can help our clientele work securely is to help them secure their computers and other devices.  The Information Security Procedures mandate several precautions that IT personnel generally need to set up for their clients:

  • Encryption of UVM- and personally-owned devices that could carry institutional data
  • Use of University storage and email (rather than external, cloud services)
  • Malware protection
  • Automatic software updates
  • Software that is supported with prompt security fixes (especially operating systems)
  • Requiring a password for start-up and wake from sleep or screen saver (ten-minute time-out)
  • Destruction of data when a device is transferred or recycled
  • Protection from theft

In addition, best practices include:

  • Working as a nonprivileged user, without administrative rights (a separate admin account can be set up for use only when needed)
  • Workstation management via joining Windows computers to the Campus domain and, for Macintoshes, Casper
  • An inventory of all departmentally owned IT equipment

Encryption Works Now

Any University-owned laptop computer used to access UVM non-public data or file services must have its storage system encrypted using a University-approved encryption system, with UVM retaining the encryption key.  That’s a very good idea for “desktop” computers, too, since they also are subject to theft.  When devices are stolen, encryption gives UVM a safe harbor under privacy protection laws such as Vermont Act 162; without encryption, legally mandated investigation and notification steps are time-consuming and can be expensive.

PGP Whole Disk Encryption was far from easy and problem-free, and consequently, the number of laptops protected by encryption has been low.  But with BitLocker for Windows and Casper/FileValult for OS X, we really must finish the job and get all laptops encrypted.  Encryption is mandatory for all laptops and portable devices — and it’s a feasible, reasonable precaution for desktops, as well.  The best way to ensure compliance is to use centrally provided deployment services for each platform and ensure encryption is enabled at deployment.  All new laptops configured by the ETS Client Services Computer Depot will have BitLocker or Casper/FileVault encryption, and ETS is discussing configuring new desktops for encryption.  For computers that are already in service, ETS can help, and instructions are available.

Encryption works now; let’s take advantage and use it.

One-Step Security: Join the Domain 

Managing UVM-owned computers through Active Directory (Windows) and Casper (OS X) is the best way to take care of key usability, support, policy compliance, and security needs — while preserving user flexibility and local control.  It works well.  It encourages consistency.  It enhances security.  It ensures legal safe harbor for stolen devices by proving encryption status.  It keeps an inventory.  And it’s free.  Contact saa-ad@uvm.edu for more information.

Providing and enforcing a secure computing environment involves a mix of best practices and actions that are mandated by policy or by law.   I recognize that the urgency of putting out today’s fires can push security to the back burner, but in the long term, letting security slip will have a greater and more painful cost.  I hope that each of us will do everything we can to give it priority.

Are there ways that ETS or the Information Security Operations Team could help you provide and promote good security?  Please let us know.

Best regards,

Dean Williams

Information Security Officer

Enterprise Technology Services

Dean.Williams@uvm.edu | 802-656-1174  

Find information security news, best practices, and how to report concerns on the UVM Computing Web site:

http://www.uvm.edu/it/security

Someone Stole My UVM Password; Now What?

You’ve probably had your UVM Net-ID locked because someone stole your password and started doing horrible things using your account, like sending spam or launching Internet attacks.  Enterprise Technology Services Account Services can get your account unlocked (call them at 656-2006) — but there are some critical steps you should take right away to protect yourself and others.

If don’t know for sure how your password was stolen, it’s possible that your computer system has been infected with a virus or other malicious software (malware), so your next step should be to take action to protect your data and prevent your computer from being used to attack others.

Secure Your Computer

Ensure your computer is current with all available patches, fixes, and upgrades. If you do not have your operating system set to automatically update, do so now by visiting your operating system’s website and following the instructions.

Your computer’s security software should also be up-to-date. To check status, click on the icon for the security program on your system. If an update is needed, it will be indicated here. If you don’t have security software installed, you need to get it. Make sure you have anti-virus and anti-spyware software installed and a firewall enabled.

Confirm that your browsers are up-to-date. Tools such as Qualys BrowserCheck or WhatBrowser can help assess status.

Visit the Carry-In Center in the Davis Student Center for assistance.

If your computer checks out clean, it’s possible that another computer, tablet, or phone that you’ve used recently is infected.

Secure Your Accounts

You probably access numerous online accounts, including social media, banking, news sites, shopping, and others. If you’ve been hacked, there is a chance that important passwords have been stolen. Reset your passwords for your critical accounts first, starting with your email account, followed by financial and other critical accounts.  It is important to start with email accounts, since password resets for all of your other accounts are typically sent to your email.

Use separate and unique ID/password combinations for different accounts and avoid writing them down. You may want to use a password manager such as 1Password.  Make the passwords more complicated by combining letters, numbers, special characters, and by changing them on a regular basis.  If you are unable to log into one of your accounts, contact the service provider or website immediately. Most online providers include an online form, an email address to contact, or a phone number to call.

Secure Your Mobile Device

Mobile phones and tablets are also subject to attack. As we do with our personal computers, we have to ensure that the proper steps are taken to protect our information and devices. This includes installing security software, where available, and keeping all installed software up-to-date.

For More Information

You’ve been hacked, now what?
http://www.net-security.org/article.php?id=1827

Your Email’s Been Hacked! Now What?
http://identitysafe.norton.com/blog/blog/2013/06/03/your-emails-been-hacked-now-what/

You Got Hacked! What Now?
http://www.pcmag.com/article2/0,2817,2403134,00.asp

Hacked: Now What?
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201209_en.pdf

I’ve Been Hacked! Now What?
http://netsecurity.about.com/od/disasterrecovery/a/I-Ve-Been-Hacked-Now-What.htm

You’ve been hacked! Now What?
http://www.doit.wisc.edu/youve-been-hacked-now-what/

Adapted from The Center for Internet Security (CIS).

Visiting Questionable Websites (or, Using Your “Internet Hazmat Suit”)

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

With each phishing campaign that’s conducted against UVM’s students, faculty, and staff, the Information Security Office receives dozens of notifications from astute members of the community who recognize the email messages for what they are: a scam aimed at co-opting someone’s legitimate access to UVM’s information resources.

Occasionally, these notifications include a comment like, “I knew the email was a phish, and clicked the link. Wow, was that ever a poor excuse for a website!” (or “…Wow, the site looked exactly like myUVM!”). While we appreciate the heads-up and certainly understand folks’ curiosity, the sad fact is that even the simple act of visiting one of these websites can cause trouble by forcing your browser to make unauthorized requests, instigating malware downloads, or even by commandeering your web browser for control by nefarious puppeteers.

What’s the astute-yet-curious Internet citizen to do?

In short: Leave it alone, unless you’re willing to undertake a fair amount of work. Seriously: The Bad Guys have gone out of their way to take Everything That’s Nice About the Internet and turn it against us.

You’re still here? OK, there are a few techniques that someone willing to go the extra mile (well, frankly, a few extra miles) can use to investigate suspicious sites in relative safety. But even all of these are only a hedge, and not a guarantee that nothing Bad will happen to your computer/mobile device/information. Caveat lector/Lasciate ogni speranza/Here be dragons, etc.:

The “one-time experiment” approach: A separate user account on your computer.

The easiest entrée into Fearless Acts of Internet Investigation involves becoming someone else…sort of. Modern computer operating systems (including Windows, OS X, and Linux) leverage the concept of the user account. Whether you know it or not, each time you use your own computer, you log in as a particular user (even if you don’t use a password). In most “consumer computing” cases, that user is also an administrator of the machine’s operating system, meaning that it is capable of doing just about anything to that computer including installing malware like viruses and keyloggers.

The trick to safely investigating suspicious Internet sites is to NOT have that capability. Here’s how to do it:

  • Be certain your OS, web browser, and anti-virus/malware protections are fully up-to-date. It would be sad to do all this work only to be nailed by something that’s already been addressed, no?
  • Copy the suspect link to a piece of paper. Seriously? Yes: Where we’re going, you won’t be able to copy/paste between “here” and “there”…
  • Create a non-administrator user account. On both Windows and OS X computers, this is called a “Standard” user.
  • Switch to this newly-created user account. The process differs between Windows and OS X.
  • Disable JavaScript, Java, Flash, and ActiveX in your web browser. This will address common avenues for “silent” delivery of downloads and remote control of your browser. Again, different processes for different browsers like Firefox, Chrome, Internet Explorer, and Safari. Search engines like Google, Bing, and company are your friend, here.
  • Visit the site. (You’ve been so patient!)
  • STOP if you are presented with prompts that request Administrator privileges or the installation of browser plugins. (We’re specifically trying to rob the website of these capabilities, remember? :-))

It’s important to note something here: In disabling all those browser capabilities/plugins (JavaScript, Flash, etc.), we’ve traded “fidelity” for “safety”. In other words, the site you visit may not look as intended without those bells and whistles enabled, so it could be difficult to tell whether it’s a clone of myuvm.uvm.edu, or trying to do something sneaky like turn your browser into a zombie. The antidote to this is the next method, below.

The “dedicated” approach: A virtual machine.

A “virtual machine” is basically a second computer running inside your computer’s operating system. The great thing about virtual machines is that they can generally be copied. So you can, say, create a very basic virtual Windows or Linux machine template on your Windows, Mac, or Linux computer, make a copy of it to use when visiting unsavory websites, and then throw it away when you’re done. The next time you find yourself itching to check out another questionable site, make another copy, use that, throw it away when done. A lot like a disposable hazmat suit!

Popular virtualization technologies for desktop computers include VMware products for Windows computers and Macs, VirtualBox for both, Parallels Desktop for Macs, and KVM and Xen for Linux. You could even try out one of the free cloud offerings from the likes of Amazon if you just want to dip your toe in the water without installing software on your own computer. (Please note that UVM doesn’t formally endorse or support any of these products, even though they may be in use by various units. Caveat emptor/your mileage may vary.)

The advantage of this method over the “separate user account” approach is that the isolation from your everyday operating system (known as the “host OS” in virtulization lingo) is more complete, so you can let the browser run active content (JavaScript, Flash, etc.) and get the “full website experience” with more confidence. This does make it important that you destroy the virtual machine when you’re done, since it’s basically a full-fledged computer which you’ve just exposed to a bunch of Internet contagion. Which means, if it does catch some Exotic Internet Flu, it will be an infected computer with access to other computers on your home network/UVM’s network/the Internet.

Wait: What about my phone/tablet?

Sadly, there aren’t a lot of great options here for mobile devices. For better or for worse, most mobile device operating systems (like Android, iOS, and Windows RT) only support one all-powerful user account, so the “create a non-administrator user” option is out. (Notable exception: Windows Surface tablets running Windows 8.) And while there are some “sandboxing” options that mimic running virtual machines on these devices, they’re generally part of expensive enterprise mobile device management packages. Certainly it’s possible to remotely control a virtual machine using special apps on your mobile device, but you still have to have a virtual machine to control.

So, as of this writing: Stick to a laptop or desktop computer. (But look for that to change in the future. Maybe.)

That’s pretty involved.

If both of those approaches seem like a bunch of work, it’s because they are. Over the last two decades, computer operating systems and web browsers have developed capabilities for the rapid acquisition (read: download) of content, convenient installation of software (easy-to-use administrator accounts), and a rich interactive experience (JavaScript and friends), and hacking techniques have evolved to take advantage of those capabilities for nefarious purposes. So, in order to have a truly safe experience when visiting potentially-dangerous websites, one really needs to short-circuit a whole bunch of features that the modern Internet user takes for granted.

Is it possible to do this? Yes, if you’re committed to taking appropriate precautions. Is it for everyone? We leave that up to you.

So, in conclusion…

We encourage you to STOP before clicking the link in that scam email.

Then THINK about what information you might be putting at risk by visiting that website on the device you’re currently using (your phone? tablet? laptop?) — How many passwords are saved on there? What’s in the files contained in its local storage? Have you logged into your bank using this device? Did you ever log off?

Finally, CONNECT only if you’ve taken the extensive precautions required in order to do so safely.

Questions or comments? Get it touch with us: iso@uvm.edu

 

Safe surfing,

Sam Hooker, for the Information Security Operations Team

Physical Information Security for Everyone

National Cybersecurity Awareness Month is an annual opportunity for folks like us to encourage folks like you to adopt a simple, three-point approach to keeping yourself and your information safe online:

STOP. THINK. CONNECT?

As weird as it might seem, there are physical aspects to securing information about you: Before your data are stolen or corrupted, there’s a need to keep track of devices and media containing information about you and your life. After someone acquires your data, there’s the possibility it could be used against you in the real world (online banking theft, physical robbery, extortion, and, in extreme cases, physical violence).

We encourage you to STOP before leaving your laptop or phone behind in a public area during trips to the restroom; before tossing your class schedule into the recycle bin unshredded; before posting information about your physical location, upcoming vacation (OK to post afterwards!), or financial habits.

Then THINK about the possible implications of this action; whether the links in that email or text message point to an official UVM website; whether you even have an account with that bank; whether Facebook is really likely to have forgotten how to use spell-check.

Finally, CONNECT with your surroundings, both virtual and physical: Is this a safe place to leave my laptop? Does this website seem sketchy?

A tiny pause can mean the difference between an enjoyable experience and a messy situation. It may seem like a lot to ask, but while we can’t claim this will make you invulnerable, it won’t be long before you don’t even realize you’re doing it.

Safe surfing,

Sam Hooker, for the Information Security Operations Team

Skip to toolbar