Data Breach Notification: Poshmark

In mid-2018, social commerce marketplace Poshmark suffered a data breach that exposed 36M user accounts. Clicking on the link in the previous sentence will take you to an article with more details. The compromised data included email addresses, names, usernames, genders, locations and passwords. There were 198 Berry accounts included in this breach. To find out if you are included, you can go to Have I Been Pwned and enter your email address in the search form there. You can also sign up for breach notifications from Have I Been Pwned by clicking on “Notify Me” at the top of any page on the site.

If you are affected by this breach, take the following steps to control and secure your online data:

  1. Go to the site and check that your information is correct
  2. While you are there, CHANGE YOUR PASSWORD!
  3. If you reused that password anywhere else, go to those sites and change the password.
  4. Don’t use that password again!
  5. If the site offers multi-factor authentication (sometimes called two-step authentication), enable it, configure it, and feel a little safer.

How to Check Your Email Rules, or Cleaning Up After a Email Hack

Your email is one of your digital identities. When it is hacked or stolen from you, “bad things will happen”. Some email accounts are hacked to enable the attacker to steal other email accounts or impersonate you to manipulate someone else. Other times, the account is simply used to send a lot of spam or phishing emails and then discarded when the attacker no longer needs it. Either way, once you gain control back, you need to do some housecleaning, just like you would if someone broke into your house or stole your car.

One of the most important things to do is to check your email rules. Email rules allow you to automatically handle, sort, or dispose of select emails when they arrive in your Inbox. When someone gets control of your account, they can put in email rules that delete all your emails, or that forwards them to the attacker so they can read your email and potentially gain sensitive information about you. Most students only check their Berry Vikings email on their phone, so it may seem strange to log into your account on a laptop or desktop, but this is the easiest way to check your email rules.

Microsoft is currently updating the Email pages on Office365, so there are two different ways to check email rules, depending upon whether or not you have logged into your email on a web browser before.

If you are using the “new and improved” Office365 Mail web pages, this is the process to check your mail rules.

  1. Log in at https://mail.berry.edu with your Viking email credentials
  2. Click on the cog or gear on the upper right of the browser window
  3. Click on “View all Outlook settings” at the bottom right of the window. You may have to scroll to see it.
  4. Click on Mail on the left-hand side of the window, then on “rules” in the second column.
  5. Your mail rules, if you have any, will be shown. Look for any that “applies to all emails” and particularly ones that forward or delete emails.
  6. You can delete any rules you don’t want by clicking on the trash can to the right of the rule.

If you have the old version of Office365 Email, follow this procedure:

  1. Log in at https://mail.berry.edu with your Viking email credentials
  2. Click on the cog or gear on the upper right of the browser window
  3. In the box that says :Search all settings” type “rules”.
  4. The first item that shows under this search says “Inbox rules”. Click on it.
  5. Your mail rules, if you have any, will be shown. You will have to click on each one to read what it does. Again, look for any that “applies to all emails” and particularly ones that forward or delete emails.
  6. You can disable the rule by unchecking the box to the left of it, then you can delete it by clicking on the trash can at the top of the list.

As always, if you have any questions about this process or any aspect of information security, please email infosec@berry.edu.

 

 

August News From Information Security

It’s August! Classes begin in just a few short weeks. This month’s newsletter is about staying safe online and covers a number of different topics, but first, here are some reminders and notices of things to come right here on campus.

Security awareness posters will return next week. On Tuesday, August 6th, departmental security awareness posters will be distributed. In September, both departmental and student posters will be distributed around the campus. There will be a chance to win a prize in September, so be sure to stay tuned.

The first LunchITS lunch-time training session was held on Thursday, August 1st. There will be more of these as the semester begins and all through the coming academic year. These lunch hour sessions cover various security awareness topics. The first topic was account security and it covered passwords, password managers, and multi-factor authentication. For those who couldn’t attend, it will be repeated during the fall semester, so there will be another chance to get this training.

Please consider requesting multi-factor authentication (MFA) for your Berry account and also consider using it for any other accounts you have that support it. It is easy to get MFA; just email computing@berry.edu and request it be enabled. You will also get information on how to set up and use it.

Many departments will be required to complete security awareness training related to the applicable laws, regulations, and constraints associated with their primary job responsibilities. You will be notified via email if you are required to take this training.

Please continue reading for tips on how to stay safe online.

 

Americans use 3,138,420 GB of internet data every minute of the day. It is safe to say that being online is now a way of life for many. Engaging in safe and secure online practices helps protect against the risks of living life on the internet.

Shopping, surfing, banking, gaming, and connecting Internet of Things devices such as toasters and refrigerators are some of the many actions performed each minute in cyberspace. These common everyday activities carry the cyber threats of social engineering to gain unauthorized access to data, identity theft, bullying, location tracking, and phishing, to name just a few. How can we decrease our risk from these cyber threats without abandoning our online activities altogether? Here are some basic online tips everyone can follow to help stay secure while online.

  • Set up alerts. Consider setting up alerts on your financial accounts. Many credit card companies and banks allow you to set up alerts on your accounts via their websites. These alerts range from sending you an email or text each time a transaction happens on your account to alerts when transactions meet or exceed a designated spending limit that you set. These alerts keep you in control of your accounts’ activities. These types of alerts are useful because they make you aware of what’s going on with your account quicker than waiting for monthly statements. When you receive an alert about a transaction that you did not authorize, you can reach out to the credit card company or bank immediately. Log into your credit card company and banking websites to set up alerts on your accounts.
  • Keep devices and apps up to date. This familiar tip is useful even if you are just casually surfing the internet. Keeping your devices up to date (including apps and operating systems) ensures you have the latest security fixes.
  • Don’t use public Wi-Fi. In addition to an updated device, the network the device is connected to is also important. Did you have to enter a password to connect to a Wi-Fi network? If you did, that network is more secure than an open one that any device within range can connect to. Whenever possible, use a secure network, especially when banking or shopping online.
  • Consider using a VPN. VPN stands for virtual private network, and its main purpose is to provide a tunnel for encrypted internet traffic. If you are connected to the internet without using a VPN, your traffic is passed through the internet service provider’s servers. The location of your device is known, and if you must connect to a public Wi-Fi network, there is a risk of snooping by other devices on the same network. Connecting to a VPN redirects your internet traffic to a remote server, encrypting the traffic, reducing the snooping risk. There are many options for VPN software today for consumers and businesses. Do your research and decide which one makes sense for your online needs.
  • Create unique passwords. Here’s another familiar tip. Using the same password for many sites is not a best practice. Suppose that one of your accounts suffered a data breach and your password was exposed. If you reused this password on other accounts, it’s likely that someone would be able to access those accounts as well (especially if your user name is an email address). Consider using a password manager to manage all your passwords. Not only do these tools manage all your passwords, they can also create strong passwords and can even autofill your username and password as you go to websites on different browsers.
  • Be vigilant. Be aware, there are fake websites out there waiting to collect your valuable information. Make sure you are on a legitimate site by double-checking the URL website address to make sure it is spelled correctly. Also make sure you see a padlock and https:// in the URL.

Remember that you are in control of your online activities. Following these security tips will give you peace of mind while online.

March News from Information Security

March is here! Spring Break can’t be far away. This month we are focusing on protecting your rights as a consumer. We are all consumers at some point and we should take proactive steps to make sure we are making good financial decisions and setting ourselves up to be able to recover from identity theft.

This article is posted today so that you can read it before National Consumer Protection Week (March 3-9) begins. This week is dedicated to helping consumers know their rights and make well-informed decisions about their finances. Check out the FTC site linked above for more information

Identity theft has become a fact of life during the past decade. If you are reading this, it is a safe bet that your data has been breached in at least one incident. Does that mean we are all helpless? Thankfully, no. There is a lot we can do to protect ourselves from identity theft and to make recovery from cyber incidents quicker and less painful.

First, take control of your credit reports. Examine your own report at each of the “big three” bureaus. You get one free report from each credit bureau once per year. You can request them by going to AnnualCreditReport.com. Make sure there’s nothing inaccurate in those reports, and file for correction if needed. Then initiate a credit freeze at each of those plus two other smaller ones. Instructions can be found at Krebs on Security. To keep an eye on your credit report all year, space out your credit bureau requests by requesting a report from a different credit bureau every four months.

Next, practice good digital hygiene. Just as you lock your front door when you leave home and your car when you park it, make sure your digital world is secured. This means:

  1. Keep your operating system up to date. When OS updates are released, they fix errors in the code that could let the bad guys in. Be sure to update. It takes a few minutes, but could protect you from serious financial harm.
  2. Do the same for the application software you use. Web browsers, plug-ins, email clients, office software, antivirus/antimalware, and every other type of software has flaws. When those flaws are fixed, you are in a race to install that fix before someone uses the flaw against you. The vast majority of hacks leverage vulnerabilities that have a fix already available.
  3. Engage your brain. Think before you click. Think before you disclose personal information in a web form or over the phone.
  4. Think before you share on social media sites. Some of those fun-to-share-with-your-friends quizzes and games ask questions that have a disturbing similarity to “security questions” that can be used to recover your account. Do you want the answers to your security questions to be published to the world?
  5. Use a password manager and keep a strong, unique password for every site or service you use. That way a breach on one site won’t open you up to fraud at other sites. See the article posted right here on this website about password managers
  6. Back. It. Up. What do you do if you are hit with a ransomware attack? (Or a disk failure?) If you have a recent off-line backup, your data are safe, and you can recover without even thinking about paying a ransom. Check into cloud storage like Dropbox and OneDrive and backup options like iDrive, Acronis, and Carbonite.
  7. Full disk encryption is your friend. If your device is stolen, it will be a lot harder for a thief to access your data, which means you can sleep at night. This is available in both Windows and MacOS operating systems and almost all smartphones.
  8. Check all your accounts statements regularly. Paperless statements are convenient in the digital age. But it is easy to forget to check infrequently used accounts. Make a recurring calendar reminder to check every account for activity that you don’t recognize.
  9. Manage those old-style paper statements. Don’t just throw them in the trash or the recycle bin. Shred them with a cross-cut shredder. Or burn them. Or do both. Data stolen from a dumpster are just as useful as data stolen from a website.

If you’ve been a victim of identity theft:

  • Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
  • Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
  • Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-685-1111); TransUnion (888-909-8872); or Experian (888-397-3742).

Set aside some time in March to manage your financial accounts and take precautions like those listed above.

For more information check out the FTC video “Five Ways to Help Protect Your Identity”

The content above is provided by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council.

Be on the lookout for new security awareness posters in the residence halls and other locations on campus. There will be a table in Krannert toward the end of the month, after Spring Break. There will be two more chances to win a prize, one related to the posters and another at the table in Krannert.

Below is a list of useful resources, including some mentioned above.