03 January, 2014

Browser Protections for the New Year

With the new year looking pretty cool (wink), I recommend users resolve to prep their web browsers from the beginning-of-semester online onslaught of phishing messages.

For protection from phishing attacks, it is best to install a browser plugin which will take reports from the phish tanks, so if you follow a link that you received in an email, you will get a warning page presented to you.  Two good plugins are:

BitDefender Traffic Light
and
McAfee SiteAdvisor  (also has an Android and Mac version).

Also, CWRU users should continue to use the Qualys Browser Check (requires CWRU login to access) plugin to advise them of when other browser add-ons are out of date (e.g. Flash Player, Acrobat Reader, Silverlight, etc.) since these can be targets of online attacks when not patched.


25 June, 2013

CWRU Legal Notice for Web Pages

CWRU Web Masters:
The university has updated the Legal Notice in 2013, and CWRU ITS advises all persons hosting web sites affiliated with CWRU and in the case.edu domain of the requirement to link their initial landing page to the site:
http://www.case.edu/legal.html
This page provides a summary of privacy and legal indemnity statements necessary for the public user.
The general approach is to link "Legal Notice" at the bottom of the page.

18 September, 2012

Microsoft Internet Explorer 9 has been affected by a "0 day" attack.  Until the latest updates are available from Microsoft, I suggest Windows users switch browsers for the near term.  The

Microsoft also recommends installation of the Enhanced Mitigation Experience Toolkit (v3.0), and I recommend users use the Internet Explorer whitelisting settings, and consider the Office settings at a later time.

To check the integrity and patching of all your browsers, use the CWRU Browser Check Utility (requires CWRU login to access).




10 September, 2012

Casey at the Bat

I found this old story in my journal- and it is pertinent for the Campus Community at the beginning of the semester.


Casey called in to the Help Desk when he tried to download the new Windage Wimba software from the Case Software Center, but the accounting system told him that he had already downloaded it.  The new software had only been made available the previous day, the Casey knew he hadn't yet downloaded it.  In looking at the software available at the Software Center website, he learned that there were many applications that were already downloaded.  These included software for an operating system that he didn't use at all.  

Casey had played baseball for a few years, and he used some the name of his favorite baseball bat to craft his Case password, which was “OldHickory%34.”  He admitted that he had shared his account information teammate a couple of years ago, who had since graduated, and that he hadn't changed it  since the University wide password change in 2000-something.  

Further investigation revealed that someone using Casey's account had been logging into various resources around campus: The Library, Filer, Forum, Docshare, and the Case VPN, and the Case Software Center.  These logins were confirmed to come from off campus, while Casey lived on-campus.  In fact, several thousand dollars' of software had been downloaded with his account.  Casey had to change his password, and check his email accounts for misuse.  He also had to begin the process for regularly monitoring his credit report in case he was a victim of fraud or identity theft.  It was discovered that Casey's former teammate (and former friend) had in fact used Casey's account to steal software and move movies and mp3 files into the University IT systems.  Casey was disturbed that a 'friend' could do all this with his Case Network ID and password, and worse, he was responsible and accountable for all of these actions.  Fortunately, Casey reported his problem and the real thief was discovered and prosecuted.

Moral of the story?  You'll never know if somebody knows you well enough to guess your password, or even trick you into revealing it (e.g. phishing attacks).  A regular change process and using passphrases instead of passwords to memorize them will help Casey after he graduates and moves on to the professional world.

24 January, 2012

Where Oh Where Can My iPhone Be?

{This post has been updated with new items in September 2012}

I have been noting with interest the volume of users with iPhones and iPad devices, and sadly I also get the reports of lost or stolen iPhones and iPads.  For those of you who have suffered such a loss, I feel your pain.

The first level of pain is based on the answer to the question:  Was your device configured to the CWRU Mobile Configuration Standard?  If the answer is yes, you will be put at ease from the knowledge that any person who picks up your device cannot access your data, they cannot sync your files to a computer, can only make emergency calls, and with the logon banner, perhaps the Good Samaritan will call the "if found, please call..." number.  If the answer is no, well the second level of pain is in store for you, because all those bad things can happen to you, and you have put university data at risk, if you value any communications in your email store on the device.

The CWRU Mobile Configuration for the iPhone and iPad has these distinct features:

  • minimum 5-digit or character passcode to defeat guessing
  • a device wipe setting should a passcode guessing continue beyond 10 tries
  • 5 minute screen inactivity timeout
  • encrypted backup when synchronizing with a computer (a thief cannot easily breakin with a sync cable)
  • Sets the primary WiFi settings to the CaseWireless network
  • CWRU VPN settings
  • LDAP lookups
If you visit the CWRU Service Desk, you can have a nice desktop support person help you install this configuration utility.  Two versions are posted, one for University-owned devices, and one for student (BYOD) devices, the latter being a simpler control set.

How to I find my (properly secured) device if it is lost?  I recommend setting up iCloud services (under iOS 5.0).  This simple service is built into the iOS 5 series, and when you install the Find My iPhone App on your phone or iPad (a similar feature is available for your Mac).  The user manages the App by logging in with their iTunes account, and you have the built-in tracking feature.

Note: this won't work ex post facto, so you have to do the preventative measures before your problems occur.  In summary, make sure you
  1. Apply the secured configuration.
  2. Install and setup the Find My iPhone app and configure iCloud.
Post Script: There are similar features for Android devices- that will be discussed in a later feature.

23 January, 2012

Lose a laptop, keep the data

I've been looking closely at various laptop tracking products, intended as theft recovery services.  Some that look interesting are:

  • Computrace/Absolute software, offering 3 versions:
    1. LoJack for Laptops- the consumer version
    2. Computrace Plus- the next step up for corporate/enterprise devices
    3. Computrace Complete- the total package, with asset management, remote wipe, makes toast...
  • PCPhoneHome/MacPhoneHome
  • Orbicule Undercover (Mac Specific)
  • FrontDoor Software
The high-end systems track your laptop for you when it is lost, and when a recovery guarantee is offered, I say take it.  The Computrace service engages law enforcement for you, once you have a police report.  If they cannot find it, you'll get a refund of the cost of your device; some solace for the seasoned road-warrior, but not if your data is gone.

The lower end services will activate a pre-installed agent upon notification that the device is stolen or lost, and the vendor communicates with the customer where the tracked location of the device can be, assuming it is on a network somewhere (the eventual destination of stolen laptops).

Therein lies the Achilles Heel of laptop theft recovery software: if the computer never comes back to a network, it never "calls home" and no recovery is possible.  Additionally, the lower end products won't help much if the eventual thief (or person who buys it online from the thief) puts in a new hard drive or re-installs a new OS.  

I found Orbicule interesting in its many recovery options- notably about taking photos of the thief (presumed) using the stolen Mac.  The customer must refrain from playing "cops" and visiting where the  location of the device is reported.  Call your local police.

Overall, the largest cost to any user who suffers a lost laptop is the lost work- data - that is on the device.  I suggest two approaches to leverage this risk:  online backup services and cloud data management.   If your work product is online, you have less chance of losing it in a device theft.  The concept behind the Google Chrome Book is for the device to be cheap, efficient, and the valued data, to be online.  Follow that approach, and laptop recovery software is less of a value proposition.


12 October, 2011

CWRU Branded version of Qualys Browser Check

A customized version of the Qualys Browser Check is available to CWRU users.  The free utility from Qualys examines the user's browser updates, settings, and in particular browser plug-ins.

University users can access the URL for the utility (login required) at this internal site.  It is recommended that all browsers running on the user's computer be checked.

The results are aggregated for all University users (no individual tracking is involved) to help us assess the state of browser security at CWRU.

03 October, 2011

Cyber Security Awareness Month Schedule of Events

This October, CWRU is hosting a number of security training and education events and lectures intended to stimulate and enlighten the campus community on matters of information security.  The schedule actually begins in September, and approximately one event per week is scheduled.

September 27, 2011
Information session on the NetWars program by the SANS Institute.  The NetWars program is the college and graduate level program of the United States Cyber Challenge (pdf), with the intent of developing talent in information security nationwide.  The intended audience is for students and graduate students, but faculty and staff are also welcome.

When:  2:00-3:00 PM
Where:  Sears 221 (knock to enter!)

This presentation is also available via webcast (SANS account needed), but attendees can also meet us in Sears 221 for a group presentation.

Week of October 3, 2011
The Information Security Office announces the availability of new online security awareness training: SANS Securing The Human.  See the enrollment form for Faculty.

October 6, 2011
UCITE Presentation to Faculty.

When: 12:00-1:00 PM
Where: Herrick Room, Allen Memorial Library
Note: RSVP required via UCITE website

October 11, 2011
FBI Counter-intelligence briefing for researchers, faculty, and anybody who needs to protect intellectual property.  Two agents from the Cleveland FBI division will give a presentation of the threat landscape to technology research, both from a human and network/cyber perspective.

When: 2:00-3:00 PM
Where: Nord 310

October 12, 2011
ITSPAC Meeting Presentation on Information Security
  • Top 10 Creepy Security Issues That Should Keep You Up At Night
When: 09:00-10:30 AM
Where: Adelbert Toepfer Room

October 13, 2011
FISCIT Meeting presentation
Invitation to Faculty to participate in security awareness training.

October 19-21, 2011
EDUCAUSE 2011 Conference- Online 
A full schedule of the EDUCAUSE conference in Philadelphia will be presented by the Information Security Office, and is open and free to all who may wish to attend.  Security presentations will be given priority in the schedule, but many other interesting topics in IT in higher education are available.  

When: 08:00 AM to 5:00 PM (October 19 & 20)
08:00 to 12:00 PM (October 21)
Where: Sears 221

See the full schedule here: EDUCAUSE 2011 Online


October 25, 2011
"Social Networks: 5 Threats and 5 Ways to Use them Safely"  A presentation by SecureState, LLC, a Cleveland-based security consulting firm, targeted to university users of social networking systems.

When: 2:00-3:00 PM
Where: Nord 310


20 April, 2011

SSA Creates Zombies, Publishes Names and SSNs of "Living Dead"

Rumors of my death have been greatly exaggerated" - attributed to Mark Twain

The Office of the Inspector General for the Social Security Administration (SSA) reported that the SSA published personally identifiable data for living persons erroneously in the Death Master file, which is sold to the public.  The Death Master file contains information about recently deceased individuals, and is sold to data merchants, credit reporting agencies, banks and other lenders, who use the data for various purposes, including preventing identity theft and fraudulent account creation in the name of deceased persons to verify status of customers.  

Over the timeframe of 2006 to 2010, the IG report noted 36,657 persons were erroneously added to the Death Master file.  Personally identifiable data in the file includes:
  • Social Security numbers
  • first, middle and last names
  • dates of birth
  • state and ZIP codes of last known residences available
Zombies!  
The impact to a living person, whose demise has been exaggerated by the SSA, can be significant, but not in an identity theft scenario.  Since credit bureaus will have entered the data as a deceased person, applications for new accounts with the personal data will set off "red flags" as potential fraud.   In terms of the Social Security Number use, these folks are Zombies, or the "Living Dead," which may create another problem with social security accounting for benefits.  Persons being identified as recently deceased, but still clinging to fully breathing taxpayer status, have definitely had one of their fundamental rights removed (life, liberty, and the pursuit of property, happiness, and safety, per the 1776 Virginia Declaration of Rights), if only administratively.  The SSA has much work ahead to ensure the data in the Master Death file is accurate.

Zombie Status should result in the opportunity for  the ultimate credit freeze, preventing any malefactor from using the data to create fraudulent accounts with the published data.  If Zombies continue paying taxes, it is likely the Infernal Revenue Service will not take note of the SSA's errors.


--Lux