UVM's Information Security Operations Team answers "Why?" Why?security

Posts

Using URL Shorteners

By Sam

We’ve all seen URLs shortened by bit.ly and its cousins: Unwieldy juggernauts like http://www.megaconference.us/register.qxv?event=megacon%20xxviii&wonderment=true%20enough%20for%20mom&prepop=1&campaign=225817558&api_key=3e7a67b1f9c00d601dbe reduced to tidy morsels like http://blag.foo/5Vf2.

Who doesn’t enjoy that? It’s cleaner! Efficient! More user-friendly!

Information security pros, that’s who. Why? Because it’s opaque.

How did you know that clicking http://go.uvm.edu/9utlr (if that’s how you got here) was going to bring you someplace that’s safe to visit?

In our efforts to improve users’ online safety through education, we often preach “Know Where You’re Going” — in other words, find out where that link’s going to take you before clicking it. Use of these URL shorteners necessarily defeats this simple technique. Because of this, it’s hard to know whether http://blag.foo/5Vf2 points to the conference registration link you wanted or some scammer site claiming that you can log into the conference reg site with your UVM Webmail credentials. And even if the user is savvy enough to spot the fraud based upon the Address bar contents when their browser finally comes to rest (“Hey — that says megaconference.premline.ru…”), how many drive-by malware sites did they visit to get there?

It’s impossible to know from http://blag.foo/5Vf2.

Still: Cleaner! Efficient! More user-friendly!

Fortunately, the fantastic folks of ETS SAA have come up with an answer that reduces the risks somewhat: http://go.uvm.edu will happily shorten your links for you, and your users can breathe easier (especially once the information security people have made them hyperventilate over URL shorteners) because every http://go.uvm.edu URL can be traced back to a UVM NetID.

(Astute readers will, no doubt, point out that this doesn’t prevent a UVMmer from defrauding Internet users through a http://go.uvm.edu URL. And that’s a fair assessment. But information security is a game of reducing exposure to risks rather than eliminating them altogether. Sad, but true.)

THIS JUST IN (2 October, 2013): Adding a tilde (~) to the end of your shortened URL will cause the user to make a quick stop by a small page on go.uvm.edu which explains where they’ll be taken. This nicely addresses the apparent hypocrisy inherent in this article. Try it for yourself by visiting UVM’s IT security site using these two links:

So please feel free to Shorten the Internet! Just use http://go.uvm.edu when you do it! And if you have questions, please let us know.

Cheers,

Sam Hooker, for the Information Security Operations Team

“Why security?”

By Sam

It’s the eleventh hour. You’ve been working on a project for months. Maybe it’s a grant application. It’s all coming together: people; facilities; legal; technology. Suddenly, someone steps in and says, “Wait a minute: Have you considered information security?”

Or maybe you have a favorite online service you’d really like to use to manage some aspect of your UVM life. You already know how to use it; you’ve already arranged your workflow around it; you need a little technical help to make it work just right. Then your tech-savvy helper says, “I think we should ask the information security people about this…”

UVM’s Information Security Office and Operations Team are charged with helping all university units protect the institution’s information. It’s our job to enable all our constituents to make informed decisions about technology products, services, and techniques by helping decision makers understand real risks to UVM. We’re not here to say, “No.” We’re here to ask, “How?” and then assist you in finding answers.

On this site, we hope to share our answers to the “whys”, and we’ll probably start with the ones we’re asked most often. There will almost certainly be other answers, some of them contrary, in many cases. We invite you to engage us directly by sending your comments to iso@uvm.edu.

Additionally, if there is a question you would like to see answered here, please email it to  iso@uvm.edu.

 

Cheers,

Sam Hooker, for the Information Security Operations Team

Skip to toolbar