Watch Out for Social Media “Surveys”

With everyone spending more time at home, traffic on social media sites has grown tremendously. One particular item to avoid during this time of boredom meltdown, even though they may be fun, are so-called “surveys” on social media sites. You know, the ones that ask about favorite colors, pet’s names, mother’s maiden name, what schools you attended, favorite songs, movies, cars, or whatever? Do these questions sound familiar?

If you have ever set up backup “security questions” for a web site, you’ll notice the surveys ask for many of the same bits of information. A fair percentage of these surveys are simply intended to grab your username for the social network, then slyly ask you to hand over potential security question answers.

Don’t fill out these surveys. Yeah, they can be fun, maybe, but if the information you willingly hand over may allow someone to reset your password by knowing the answers to your security questions, then they are a really bad idea!

With that in mind, whenever you fill out these backup security questions, you should never put real information in as your answers. Make up answers for these questions, then record those answers somewhere safe, like in a password manager, along with your unique password for the site! This way, you can provide the answers to these questions, but no one else will be able to discover than information from the far reaches of the Internet, or from your answers to a social media site “survey”.

If you would like more information on password managers, check out the short password manager article here on this site.

 

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

 

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo Credit: Photo by William Iven on Unsplash

How to Check Your Email Rules, or Cleaning Up After a Email Hack

Your email is one of your digital identities. When it is hacked or stolen from you, “bad things will happen”. Some email accounts are hacked to enable the attacker to steal other email accounts or impersonate you to manipulate someone else. Other times, the account is simply used to send a lot of spam or phishing emails and then discarded when the attacker no longer needs it. Either way, once you gain control back, you need to do some housecleaning, just like you would if someone broke into your house or stole your car.

One of the most important things to do is to check your email rules. Email rules allow you to automatically handle, sort, or dispose of select emails when they arrive in your Inbox. When someone gets control of your account, they can put in email rules that delete all your emails, or that forwards them to the attacker so they can read your email and potentially gain sensitive information about you. Most students only check their Berry Vikings email on their phone, so it may seem strange to log into your account on a laptop or desktop, but this is the easiest way to check your email rules.

Microsoft is currently updating the Email pages on Office365, so there are two different ways to check email rules, depending upon whether or not you have logged into your email on a web browser before.

If you are using the “new and improved” Office365 Mail web pages, this is the process to check your mail rules.

  1. Log in at https://mail.berry.edu with your Viking email credentials
  2. Click on the cog or gear on the upper right of the browser window
  3. Click on “View all Outlook settings” at the bottom right of the window. You may have to scroll to see it.
  4. Click on Mail on the left-hand side of the window, then on “rules” in the second column.
  5. Your mail rules, if you have any, will be shown. Look for any that “applies to all emails” and particularly ones that forward or delete emails.
  6. You can delete any rules you don’t want by clicking on the trash can to the right of the rule.

If you have the old version of Office365 Email, follow this procedure:

  1. Log in at https://mail.berry.edu with your Viking email credentials
  2. Click on the cog or gear on the upper right of the browser window
  3. In the box that says :Search all settings” type “rules”.
  4. The first item that shows under this search says “Inbox rules”. Click on it.
  5. Your mail rules, if you have any, will be shown. You will have to click on each one to read what it does. Again, look for any that “applies to all emails” and particularly ones that forward or delete emails.
  6. You can disable the rule by unchecking the box to the left of it, then you can delete it by clicking on the trash can at the top of the list.

As always, if you have any questions about this process or any aspect of information security, please email infosec@berry.edu.

 

 

Why Do I Need a Password Manager?

How many sites and services do you log into on a regular basis? Take a moment to think about everywhere you put in a username (usually your email address, but not always) and a password. At work, on social media sites (how many are you a part of?), shopping sites, banks, email, hobby and interest sites, wireless carrier sites (AT&T, Verizon), cloud storage (DropBox, Google Drive, OneDrive), medical and insurance portals, tax return sites… the list can be endless. Do you have twenty? Thirty? Forty?

Now, how many passwords do you have? As in, create and use on a regular basis. Two? Four? Ten?

Did you know that these two numbers should be equal?

Yes, best practice says you should have a unique password for EVERY site and service that you use. Doing so means your other information is safe when a password is exposed on one site, which seems to happen more and more. Only the data one that one site is affected by the exposed password, not the information on the dozens of other sites and services you access.

THAT’S RIDICULOUS! Right? There’s no way you can keep ten or fifteen passwords in your head, much less one for every site and service you use. You are absolutely right. It’s not possible for most people. There are those gifted (or cursed) with remembering almost everything they see, hear, or experience, but that’s not you, most likely. This is definitely one of those “first-world problems” we joke about between friends.

So how do you create and remember a unique password for every site and service? You don’t! You use a password manager.

Password managers are the solution to this problem. There are many different password managers available, some free, some inexpensive, some ridiculously expensive, but all, at their core, do the same thing. They help you create and store passwords and allow you to copy and paste them into your login screens. How they do it and what price is charged for this capability are the basic differences between products. If you want to skip the introduction and go straight for the dessert, at the end of this article is a short list of password managers along with their costs, platforms supported, and a usability rating. If you have no idea what password managers are or do, then continue reading.

As already mentioned, all password managers do the same thing. They help with the creation and secure storage of your passwords. How they accomplish this will be unique to each program. Features of different programs vary, but here are some to look for:

  • The ability to store more than just username and password. To varying degrees, different password managers allow you to store more information about an account or service, like the website address, or backup codes to allow you to log in if you lose your password or device, or other pertinent information.
  • The ability to store software license numbers, prescriptions, padlock combinations, or other sensitive information. Because password managers use strong encryption, your data is safer stored there than on your hard drive or worse, written down on paper that can be lost or stolen.
  • The ability to organize your passwords, like separating work from personal, websites from cloud storage, hobby sites from banks, or any kind of group you want to use.
  • The ability to automatically rotate passwords for sites that require password rotation, or at least a way to indicate a password is expired based on information you input when you create the entry.

Password managers come in different forms. By that, I mean some password managers are browser add-ins, some are desktop or mobile apps, some are just websites, and others incorporate some or all of these forms. This is important, since you will authenticate to sites from your desktop, laptop, phone, tablet, and even your TV in some cases (although I am unaware of any password managers that run on the Amazon Fire TV, Roku or similar platforms).

All password managers should use strong encryption to protect your information. Better ones allow you to use two-factor or multi-factor authentication to make them even more secure. This means that in addition to your master password, which we will discuss shortly, you would need a device or an additional code to fully unlock your password collection. More on that in a bit.

To use a password manager, you will have to create a good, strong password that you can remember as a master password. This password should be at least twelve characters, twenty would be better. It should include upper and lower case letters, numbers, spaces, and symbols or punctuation. The easiest way to do this is to create what is called a passphrase. This would be a sentence you could remember, ideally that you would modify by substituting numbers and symbols for some of the letters.

The next step is to get all your various accounts into the password manager. Once you have put your passwords into the manager, either by typing them all in or, in some cases, allowing the browser plugin to capture them as you enter them manually, you never have to type out passwords again. Or remember them. This is where the real bonus of using a password manager shines. I have upwards of 150 passwords to remember, and I don’t know over half of them. Some I’ve never typed. Some I’ve never even seen. How?

A good password manager will generate long, random passwords for you and allow you to use those for your accounts and services. It should also allow you to manage the complexity of these passwords, as some sites still don’t allow special characters or even spaces in passwords. With the password manager remembering all your passwords, you don’t have to reuse passwords, which is the very unsafe practice we are trying to avoid. Note – This is particularly true in regard to passwords used for banking accounts, medical/doctor office portals, or other sensitive information. If you store your credit card information with any site, such as Amazon or Google, you should have a unique, strong password for it as well.

I mentioned two-factor or multi-factor authentication earlier. You may be asking – what is a factor? A factor is simply a way to prove you are who you say you are. First, understand that there are really only three different factors:

  • Something you know – a password, a passphrase, a PIN, a secret code, a handshake, etc.
  • Something you have – a smartphone (with an app), a physical key, a USB token or fob, an identification card with a magnetic strip, chip or RFID embedded in it.
  • Something you are – a fingerprint, your voice, your retina, even the pattern of your veins under your skin

The combination of two, or all of these factors increases your security. Some are inexpensive to employ. Some are expensive to acquire, distribute, and support. Unfortunately, even the most expensive versions of these factors are not totally secure. Regardless, using two-factor or multi-factor authentication means that after entering your username and password, you must provide the second factor to complete the authentication, whether that means plugging in a USB key, using an app on your smartphone, or providing your fingerprint.

So here’s the dessert… a list of password managers I am comfortable recommending, including their price, formats, a usability rating, and a short blurb about them. I don’t take any responsibility for errors in this information. I pulled it directly from the websites of the various password manager on February 5th, 2019. If you want to use any of these, you will need to visit the site and read the documentation.

KeePass – https://keepass.info – Free – Windows, MacOS, Linux, Android, iOS, Chromebook, Windows Phone, Browser Extension – Intermediate to Advanced User

Requires the user to provide storage location for the secured password vault. This could simply be on a single computer, but then would only be accessible from that computer. Many who use this put the vault on cloud storage to have universal access. Also, the wide platform support is somewhat of a deception – there are a ton of compatible apps because the specifications for handling the vault are easy to code.

BitWarden – https://bitwarden.com – Free or more features for $10/yr – Windows, MacOS, Linux, Android, iOS, Browser Extension, Web Interface – Novice User

Wide platform support and inexpensive for premium features. This password manager is a “new kid on the block”, but I use it personally and have been pleased with the free features. The premium license offers encrypted file storage for items like tax documents and other sensitive digital documents.

1Password – https://1password.com – $36/yr – Windows, MacOS, Linux, Android, iOS, Chromebook, Browser Extension – Novice User

A veteran password manager, which means it also has some bad history, but still a solid choice. The only one in this list with no free version. The added security is still worth the price.

LastPass – https://lastpass.com – Free or more features for $24/yr – Windows, MacOS, Linux, Android, iOS, Browser Extension, Web Interface – Novice User

Another veteran, LastPass has a free version and also starts at a reasonable price for premium features. The premium features are not necessary, but does provide encrypted file storage for things like tax returns and other sensitive electronic documents.

There are lots of others, this is just a small sample.

I hope this article has been informative. Feel free to email me any questions and I’ll be happy to answer them for you.