Data Breach Notification: LiveJournal

In 2019, there was news of a possible breach of LiveJournal data. In May of 2020, the breach was confirmed by the release of the data on a hacking forum. There were 26 million records exposed from the site, which included email addresses, passwords, and usernames for the service.

There were 52 berry.edu or vikings.berry.edu email addresses included in the breach.

To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. While you are there, you can also sign up for breach notifications involving your Berry or other email addresses by clicking on “Notify Me” at the top of any page on the site.

If your information was included, be sure to change your password for the LiveJournal website. Also, check your posts and settings to make sure they have not been altered.

Be sure to NEVER reuse your Berry email password for any other website or service! Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any page on this site.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

Data Breach Notification: Covve

In February of 2020, it was revealed that Covve, who bills their address book app as the “smartest, simplest, contacts app”, experienced a data breach. Covve left a database exposed to the Internet without a password. There were nearly 23 million records exposed by the site, which included email addresses, job titles, names, phone numbers, physical addresses and social media profiles. Your data might have been included in the breach even if you did not use the service, as the data was provided by users of the service who chose to sync their phone and email contact lists with the site.

There were 57 berry.edu or vikings.berry.edu email addresses included in the breach.

To find out if your information was included, you can go to Have I Been Pwned and enter your email address in the search form. You can also sign up to be notified when your information appears in a breach by clicking on “Notify Me” at the top of any page on the Have I Been Pwned site.

If your information was included, there is not much that can be done to remove it from circulation. There were no passwords exposed by the breach, but there was plenty of personal information, as mentioned above. Hackers may attempt to impersonate your contacts or you using the information. As always, be very cautious when dealing with unexpected texts or emails, especially when they contain links or attachments.

Be sure to NEVER reuse your Berry email password for any other website or service! Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any site page.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

February News from Information Security

Welcome to the much delayed February newsletter! I apologize for the tardiness of this edition.

There is a fair amount of news to share, some of it WAY overdue, so I’ll start there.

First, if you are using multi-factor authentication (MFA), you experienced a change in your password settings this week. I apologize for the unannounced change, that was not the way it was planned. The change includes two very important modifications to your password requirements – first, and most importantly, your password does not expire for 365 days! That’s a whole year to not have to worry about changing passwords. Second, and still very important – your minimum password length has changed from 8 characters to 14 characters. Yes, that is a big change, but it shouldn’t be an issue, as you have a whole year to come up with another password! The change was important due to the increased maximum password age. A 14 character password is exponentially harder to crack than an 8 character password. Your basic password security is still important. If you have issues creating a 14 character password, please take a look at the good password guidelines Quick Info guide here on the site. It is a good quick resource for creating strong passwords.

Second, please check the recent post on this site about a data breach on the Adult Friend Finder website. There were 22 Berry email addresses included in that breach.

The third item on our list refers back to the first one. If you are not using MFA, you should be! In addition to only having to change your password once a year, you get the added security of multi-factor authentication. All faculty, staff and students are eligible and encouraged to use MFA, not only for Berry accounts, but for all of your accounts that support it. Multi-factor authentication and creating secure passwords are two life skills many of us never thought we would have to learn, but here we are!

Fourth, there is a LunchITS planned for Thursday, February 13th from noon until 1PM in Krannert 109. Bring your sack lunch or grab something in Krannert and come learn how to quickly spot phishing attempts and get a clearer understanding of the tactics, techniques, and procedures used by phishers as they attempt to sink a hook into our organization.

Finally, in lieu of a topic of discussion here in the newsletter, take a look at this great SANS OUCH! newsletter for February about Social Media Privacy. It goes right along with information from our recent Data Privacy Day back on January 28.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo Credit – Photo by Yura Fresh on Unsplash

Data Breach Notification: Adult Friend Finder Website

In October of 2016, the website Adult Friend Finder experienced a data breach. This was a part of the larger Friend Finder Networks breach. There were nearly 170 million records exposed from the site, which included email addresses, passwords, spoken languages, and usernames for the service. 

There were 22 berry.edu or vikings.berry.edu email addresses included in the breach.

To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. You can also sign up for breach notifications from Have I Been Pwned by clicking on “Notify Me” at the top of any page on the site.

If your information was included, be sure to change your password for this website.  Also, there is a chance that hackers may attempt to blackmail you with this information.

Be sure to NEVER reuse your Berry email password for any other website or service! Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any site page.

Data Breach Notification: Data Enrichment Exposure

In October, a large database was left unsecured and exposed to the Internet. This database contained “enriched” data profiles, which means that someone had taken some basic information about a person, like an email address or social media profile, and then searched and cross-referenced publicly available data to gather as much information as possible about that person. Companies do this for millions of people and then sell these “enriched” profiles to ad companies to help them target potential customers. It’s one of the reasons you get SO MUCH SPAM.

There were over 600 million accounts in the exposed database. There were 2,789 berry.edu or vikings.berry.edu email address in those records. There were NO passwords included in this breach.

To find out if your information is included, you can go to Have I Been Pwned and enter your email address in the search form. You can also sign up for breach notifications from Have I Been Pwned by clicking on “Notify Me” at the top of any page on the site.

The information included email addresses, employers, geographic locations, job titles, names, phone numbers, and social media profiles. While none of the individual pieces of this information alone are considered damaging or sensitive, the accumulation of this data in a single profile not only helps advertisers, but it also helps scammers more accurately target people by sending focused phishing emails that seem more credible.

Stay vigilant against phishing emails by learning what to look for. Check out the Phishing Quick Info page here on this site at a minimum.

As always, if you have questions about any of this, you can contact Information Security using the information on the right-hand side of any site page.

 

November News from Information Security

The days keep marching on! It’s November already and holidays and finals are growing ever closer. Fall weather is finally here, just in time for winter to blow in.

I want to thank everyone who came by the table in Krannert during National Cyber Security Awareness Month in October. We had more people stop by this year than ever before and one lucky person won the big prize on Halloween. In addition to some Berry-branded drinking apparatus, they got lots of candy and a Yubico YubiKey that will help them increase the security on lots of their online accounts. There were over 60 visits to the table this year, the weekly articles were viewed over 170 times and the videos had dozens of views. I hope you had as much fun watching the last two videos as I did writing and making them.

Another piece of information I want to pass along is the implementation of automatic idle lock for campus workstations. This has been mentioned before, but to refresh your memory, this simply means that most computers on campus, if left idle for ten minutes, will lock the desktop, requiring the user to enter their credentials to gain access. Information Technology has been working hard to make sure this policy does not impact computers in classrooms, meeting rooms, and other places where there is a potential for the policy to interrupt class or meetings. The important information I want to pass along is that this policy will go into effect on January 6th, 2020, when everyone returns from the holidays. More information will be provided between now and the end of the semester.

Keep an eye on this site to see when the next Krannert table is scheduled. The front page has an “Events” link in the main menu that will show all of the upcoming events being offered by Information Security. Also listed on the events page will be any upcoming LunchITS, where we dig into a topic for the duration of the lunch hour while enjoying our lunch. There will be one in early November, but the date is not yet finalized.

You can also check back for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me.

If you notice any issues with the site, as it is undergoing an upgrade and expansion, please let me know by emailing infosec@berry.edu.

Let’s take a few moments and dig into this month’s topic. Data security.

As I hope you inferred from all of the events and activity during October, information security efforts will only be successful when all members of the campus community understand the risks and take steps to avoid them. One of the biggest risks is the exposure of confidential data.

Did you know? In 2017 the education industry (which includes K–12 and higher education institutions) had 7,837,781 records breached in 35 events. To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)

More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see figure 1). These breaches were arguably preventable through basic information security protection safeguards.

bar chart showing types of security breaches among educational institutions
Figure 1. Types of security breaches among educational institutions

What can you do every day to protect data? There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a “one size fits all” blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled:

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. Updates to college owned computers is handled automatically as long as it is online to receive the update and is rebooted on a regular basis.
  • Use multi-factor authentication: Whether for personal use or work, multi-factor authentication (MFA) can prevent unauthorized access even if your login credentials are stolen or lost. If you would like MFA enabled for your account, please email computing@berry.edu and request it.
  • Create really strong and unique passwords: Create unique passwords for all personal and work accounts. In today’s environment, one of the best ways to create a really strong password is to use a password manager for all of your accounts. A password manager will alleviate the burden of having to memorize all the different complex passwords you’ve created by managing them all in one “vault” and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of “oopsie moments” where we accidentally post sensitive information publicly, mishandle or send to the wrong party via publishing online, or send sensitive information in an email to the wrong person. Taking care to know how you are transmitting or posting data is critical.

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department is looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include the Office of  Information Technology (OIT) at the beginning of the project or contract process to help ensure that data are properly protected. To determine whether or not OIT should be involved in the vendor/contract process, ask yourself the following questions:

  • Does the project (and in-scope technologies) involve the handling or storage of personal data (e.g., student data, employee data, donor data, research data, or financial data)?
  • Does the project (and in-scope technologies) involve the handling or storage of personal data that is regulated by government entities or has special contractual obligations to a third party (e.g., contract sponsored for research)?
  • Is there transfer of any institutional data from an institution-owned system or device to a third-party vendor-contracted system or device?
  • Does the project involve acquiring/implementing/developing software, services, or components that your institution has not previously deployed?
  • Does the project involve providing a new data feed to an existing campus partner?
  • Does the project involve accepting card payments in any way?

If the answer to any of the above questions is “yes,” please collaborate with OIT at the beginning of the project to ensure that institutional data are properly protected. You can simply email computing@berry.edu and let the Technical Support Desk know you have a new service you want to implement. They will get the right staff in touch with you.

Have a great November!

 

Photo by Priscilla Du Preez on Unsplash

Data Breach Notification: Wanelo

 

Sometime in December 2018, the digital mall Wanelo suffered a data breach that included 23 million unique email addresses along with passwords. Some passwords were stored with weak encryption, others with better encryption. Either way, they are exposed and should be changed. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in April 2019. There were 142 Berry email addresses included in this breach. You can read more about it by clicking on the link in the first sentence of this notice. To find out if you are included, you can go to Have I Been Pwned and enter your email address in the search form. You can also sign up for breach notifications from Have I Been Pwned by clicking on “Notify Me” at the top of any page on the site.

If you are affected by this breach, take the following steps to control and secure your online data:

  1. Go to the site and check that your information is correct
  2. While you are there, CHANGE YOUR PASSWORD!
  3. If you reused that password anywhere else, go to those sites and change the password.
  4. Don’t use that password again!
  5. If the site offers multi-factor authentication (sometimes called two-step authentication), enable it, configure it, and feel a little safer.