Social Media Privacy & Safety

Data/photo breaches involving both celebrities and regular people are all over the news.  It does raise a lot of questions about what people are putting online and how to stay safe.  Here’s a few things to keep in mind when putting information online:

Be selective about who you accept as a friend on a social network.
The Internet allows for people to create false identities, fake accounts, and misrepresent other individuals’ thoughts and opinions.  People can pretend to be someone else and solicit information or communicate with others.  Be sure you know with whom you are communicating on the Internet.  Verify their identity if you are not sure.

Do not allow social networking services to scan your email address book.
When you join a new social network, you might receive an offer to enter your email address and password to find out if your contacts are on the network.  Avoid this.  The site may use this information to send unsolicited emails to everyone in your contact list or even everyone you’ve ever sent an email message to with that email address.  Social networking sites should explain that they are going to do this, but some do not.

Resist announcing that you are on vacation or some sort of trip.
It’s tempting to let everyone know you’re away on a beach or some exotic location, but it may also let burglars know that you’re leaving your house unoccupied as well.  This is especially true for sites like Instagram, Twitter, or other social networking sites where your information is made public (not just announced to your friends).

You may want to wait until you’re home to post all your trip experiences and pictures.

Disable location posting in apps
Consider disabling the setting in apps that let people know where a photo was taken, or where you were when a tweet or facebook post was made.

Consider the consequences if the information is viewed by others
You may (or may not) have appropriate privacy settings for your social media.  Even if you do, what happens when that site or your account is compromised?  What happens when that site changes their privacy settings (as has happened in the past) and thus makes your information public?

Employers are looking at your online presence.  Don’t leave information up online that would reflect poorly on your future job prospects, or possibly even your current job.  As fun as it might have been to go into excessive detail about what was done at a party or other event – think about it before posting.  Assume that everything you put on a social networking site is permanent.  Even if you can delete your account, anyone on the Internet may have already saved photos, text, or videos from your profile to their computer.

Protect your smartphone
So lets say you were very careful about your privacy settings online and you never posted anything that would put you in an uncomfortable position.  What about your phone?  What would happen if someone obtained your phone?  Do you have anything in place to prevent this from happening?  If you don’t already do this, there are a couple of things to start with:

  • Don’t leave your smartphone unattended.  You may trust your coworkers or friends, but don’t be too quick to extend trust to people you do not know.  Put it in your coat, pocket, desk, purse, backpack, wherever.  Keep it out of view.
  • Make sure your phone has a passcode or pin to unlock (or uses a fingerprint scanner or some similar method).
  • Enable encryption on your smartphone (so that if someone did obtain your phone, it is far more difficult for them to get to the data on it).

Thanks to John Oles in the Office of Communication and Marketing, and Investigator Bruce Chambers, of University Police, for contributing to this article.

Cyber Security Awareness Month

October is, again, National Cyber Security Awareness Month.  During this month, we like to bring an additional focus to security threats that face the campus and its data, as well as those affecting our faculty, staff, and students in their personal activities online.

As part of this month, we will be having various events including training (for faculty & staff) and screenings of the documentary “Code 2600” followed by a Q&A about cyber security issues (as well as about jobs in the cyber security field).

You may see around campus our flyers talking about Cyber Security Awareness.  We’ve included those four flyers below.
Security Awareness Flyers Security Awareness Flyers-2 Security Awareness Flyers-3 Security Awareness Flyers-4

The campaign idea is courtesy of the University of California – Berkeley, and is used with their permission.

Recent password breach in the news (and general password advice)

Hello all, We’ve had several people contacting us about the recent news stories about Russian hackers who have allegedly obtained over a billion passwords. For more information on the story, see the NY Times article at: http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html That being said, the question is – what should an individual do about it? Though it has not yet been disclosed what systems and services have been breached, you can get ahead of this issue in a couple steps:

  • Change your passwords regularly (at least yearly) – especially on any site that would give a criminal access to financial resources (banks, credit cards, PayPal, etc.) or other personal information (your email accounts, social media accounts like Facebook, Twitter, and Instagram, etc.).
  • Don’t reuse passwords. Its very tempting to use the same passwords or a small handful of passwords online, especially as we continue to have more and more of a presence online. Unfortunately, it leads to a lot of security issues. If you use the same password on 5, 10, 20, or more sites, one of those sites getting compromised can lead to the rest of your accounts being at risk.
  • Make sure the password for your email accounts are very strong. With access to your email account(s) someone can just request password reset emails on most/all of the other sites you use.

What are some ways you can make managing passwords easier?

  • Consider using a password manager application such as KeePass (which stores the password database on your computer) or LastPass (which stores your passwords encrypted on their servers). These password managers can let you generate random complex passwords per site, or just save passwords that you come up with manually.  Note: Computer Services and SUNY New Paltz does not endorse or support any specific password manager application.
  • Don’t just use simple 8 character passwords. Consider using passphrases. The phrase should be something you can easily remember and associate with the site.
    • For example, I could have a passphrase for Amazon (which I still associate with books) of: Buy Stephen King Books 1974 (where I list an author I like and the year one of his books I like came out).
    • Similarly I could have a password for my bank where I choose a password of: I’d prefer lots more $$ here. (which incorporates special characters as well)
  • Come up with a password system which will let you use a different password for each site in an easy to remember way.
    • Think of a book, movie, or song, that you can associate with the site. For example, lets say for some reason I associated the 1978 movie “Animal House”, with John Belushi with New Paltz. I could then come up with a quick 8 character password of: ah1978JB (first letters of each word in the movie title, the year it came out, then capitalized initials of the movies’ star). For extra security, throw a special character after or before the year such as ah&1978JB.
    • Create a “word image” for each site. Since New Paltz has two words, starting with an “N” and a “P”, I can come up with the word image of Noisy Pigs and make that, combined with some numbers/characters, my password: Noisy#30Pigs.  Visualizing an image makes a password easier to remember.
  • As a last resort, consider keeping (in a locked drawer or other locked location) a list of usernames and passwords.

 

Why you should say goodbye to Windows XP

It’s a hard thing to say goodbye to a trusted piece of equipment that has always been a reliable workhorse; your first car, your first cell phone, and, as of April 8th, Windows XP. While Windows XP has been a stand-by operating system for the last 13 years it is finally bidding us goodbye and will officially be retired from support this coming month. Microsoft had announced this news over a year ago but still some people are holding onto their old computers – this could turn out to be a higher price than buying a new pc! As Microsoft states, “ An unsupported version of Windows will no longer receive software updates from Windows Update. These include security updates that can help protect your PC from harmful viruses, spyware, and other malicious software, which can steal your personal information. Windows Update also installs the latest software updates to improve the reliability of Windows—new drivers for your hardware and more. ”  Not only will you and your information be more vulnerable but your computer will not work with the newest gadgets, inventions, or even printers!

As of April 8th 2014 Microsoft will no longer be issuing security updates for Windows XP which will leave any system still running it open to a myriad of security issues. This could leave your personal and financial information more vulnerable to being compromised – something that can take years of work to set right again and hours of frustration finding out the financial havoc that has been wrought. With many alternatives out there – Windows 7, Windows 8, or perhaps the new Apple OS, OS X Mavericks – there are a few ways of solving this problem. Unfortunately, the only safe way to keep your XP computer is to keep it disconnected from the Internet and who wants to do that? The Internet is where all the cats are….

Advertisement Blocking

One common threat to computer security (both your own devices, and campus computers) is malware distributed through advertising networks.  The advertisements you see on most sites are not actually provided by that site – they are delivered through third parties such as Google, Yahoo, or a host of others.

Unfortunately the security on these ad networks has led to compromises on them, both small scale and large scale.  Most recently people who went to sites where ads were delivered by the Yahoo ad network were at risk of viruses just by viewing these sites (http://www.ibtimes.com/yahoo-malware-hundreds-thousands-users-may-be-infected-due-malicious-ads-report-1526736).

Because of the prevalence of these security issues, you may want to consider using an Ad Blocking plugin with your web browser, such as Adblock Plus.  What Ad Blocking software does is, based on the URL of images and other aspects, selectively not load portions of a site.

The most common software for this is called “Adblock Plus” and it can be obtained for free from: adblockplus.org.  Using this software (or something similar) can add a level of protection that (in conjunction with Anti-Virus software) will give you an additional level of protection.

Note: SUNY New Paltz takes no position on whether advertisements should or should not be blocked.  This recommendation is purely from a security standpoint due to the cases of malware impacting ad networks.  We are unable to install or configure these applications on your computers or devices.

Credit card scams and you

Everyone has been hearing in the news about the recent credit card breaches involving Target, Neiman Marcus, and others.  Because of this, hopefully you are all checking your credit card statements (both personal, and campus procurement cards for those who have them) regularly for fraud.  Even if you haven’t shopped at a retailer that is identified as being compromised, checking regularly is important.

That being said, scammers are taking advantage of the fear over the recent breaches and trying to get your personal/financial information as a result.  There have been many reports of people getting phone calls stating that their credit or debit card is locked.

What do you do if you receive such a call?  First off, if the call doesn’t even identify what bank it is for you can safely ignore it as a scam and hang up.  If they do identify the bank, then you should still hang up, and contact your bank.  You should ONLY use the phone number either on the back of your card, or the phone number on your bank/credit statement.  Those are the only safe methods in a situation like this.  Do not ever discuss any personal/financial information when you did not initiate the phone call.

 

National Cyber Security Awareness Month

NCSAM-2013

October is National Cyber Security Awareness Month, and this year celebrates its 10th anniversary (as well as the first time we’re highlighting it at New Paltz).  This month, we will be kicking off some new promotional material focusing on Cyber Security Awareness.  You’ll be seeing these around campus starting this week.

The campaign’s slogan is: STOP. THINK. CONNECT.  What does it mean?

logo

STOP: Before you use the Internet (including email, social media, eCommerce sites, and campus systems and services), take time to understand the risks and learn to spot potential problems.

THINK: Take a moment to make certain the path ahead is clear.  Consider whether you are at a legitimate site, or one that is appearing to be legitimate.

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself, your computer, and (for faculty & staff) the sensitive data that you may have access to.

These aren’t just meaningless slogans.  When our faculty & staff have fallen for scams, they almost always say after the fact “I just wasn’t thinking” or something of that nature.  With how fast our lives and communications move, we start operating almost automatically and its easy to skip thinking about the situation you’re in.  Online though, you have to stay mindful of what you are doing before connecting to the site or system you are using.

when_in_doubt

Why protecting your credentials matters

So you’ve heard all our warnings and pleadings about fraudulent attempts to get your campus username & password.  You may be thinking “So what?  Its not like I have anything important on my New Paltz account, what does it matter?” or more commonly, “Why are they (the scammers) even bothering?

Well, there are lots of reasons to be concerned.  Aside from the duty all employees have to safeguard their usernames and passwords as a matter of policy, there are several types of harm that can come from your username & password being obtained by criminals (i.e. Phished).

  1. Many people on campus have access to sensitive information (in sources such as Banner, Blackboard, or their campus Email account).  Inadvertently giving your credentials out to criminals can potentially expose these sources of information.
  2. A phished account is almost always used to send fraudulent messages.  These fraudulent messages will be sent not only to random people around the world, but your own colleagues and contacts in your address book.  Future messages to these people even after your account has been cleaned up may be blocked (since past messages from your account were fraudulent).
  3. You could cause mail from SUNY New Paltz to be blocked or delayed.  When email service providers detect an inordinate amount of spam complaints about mail from a certain source (such as SUNY New Paltz), they may block or throttle all of it over time.  Getting these blocks removed takes time and mail to our students, faculty, and staff could be lost during the block.
  4. Having your New Paltz account compromised could lead to other, personal accounts (your financial accounts, your social media accounts, etc) being compromised.  If you either used the same password on your New Paltz account as other sites (which you shouldn’t) or you used your New Paltz account as the ‘recovery email’ for another site, you are leaving yourself at risk if your New Paltz account is compromised.

 

Phone Scams

Everyone has seen or heard about scam emails sent which try to get you to give out sensitive information (usernames, passwords, bank accounts, social security, etc.) or contain viruses.  What is becoming more common though is computer related fraud over the phone.

How to recognize fraudulent phone calls

  • The caller will state that they are from “Windows Support”, “Google Support”, or some other technology company.  They will say they are calling about your computer.
  • The calls will frequently (though not always) have international or odd (not the standard digits) caller ID numbers.
  • The calls will be unsolicited (they won’t be a follow-up to an existing support case you may have).
  • They callers will often speak in heavily accented English.

What to do if you receive such a phone call

Just hang up.  Don’t give your name or any other information to the caller and definitely do not follow any of the instructions they tell you.

If you’ve already been a victim of these calls

If you have already been contacted by these callers, and did what they asked you, then do the following:

  1. First – change ALL passwords to sensitive sites that you use, especially financial institutions, New Paltz accounts, other email accounts, and social networking.
  2. If you are a faculty or staff member and this happened on your office or other campus-owned computer, contact the Faculty/Staff Help Desk for assistance in cleaning out your computer of any malware the criminals had installed.
  3. If you are a faculty or staff member and this happened to your personal computer, seek professional assistance (via a local computer repair service) to make sure your computer is virus/malware free.
  4. If you are a student, seek assistance at the Student Help Desk.

Phishing – what, how and why

By now, most people have seen at least one phishing email.  The campus was hit with a few very widespread mailings earlier in the Fall 2012 semester.  We’re going to cover what Phishing is, why it is used by criminals, and most importantly how to recognize it when you see it.

What is Phishing?

The term is a portmanteau of phreaking and fishing.  The term is used to describe methods where a user is baited into getting hooked by a scam.  The actual bait used can be a promise of reward (click here to win!) but is more commonly a warning or threat.  This includes phrases such as “click here to validate your account within 48 hours or your email will be shutdown“, or “we’ve seen suspicious activity on your account, reply back with your username and account number to prevent your credit card from being closed”.

What is their purpose?

It depends on what kind of email you are receiving and what the immediate goal of the scammer is, but the end goal is always financial gain for the criminals involved.  There are two primary types of Phishing emails that I’m going to call primary and secondary phishing.

Primary phishing is when the criminals are looking for the information which will net them actual financial gain.  This is usually credit card numbers, bank account numbers, usernames & passwords for banks, paypal, or ecommerce sites, etc.  When users provide this information to the criminals, funds are pulled from these accounts (often within minutes).  These scams are much harder to get through spam filters, especially when sent from random free email accounts like AOL or Hotmail.

Secondary phishing is when the criminals are looking to obtain usernames & passwords for email accounts, especially at ‘trusted’ email providers like businesses or colleges.  These emails try to get you to think something will happen to your email account if you don’t comply.  They may not even try that and will just have an email with a link (and the link asks you for your username & password).  When the scammers have the usernames & passwords for accounts at trusted providers such as SUNY New Paltz, they are then free to send their fraudulent emails for financial gain (Primary Phishing) to addresses across the Internet, with more likelihood that they will be allowed through spam filters.

How to recognize phishing

  • Be cautious about clicking on links in emails, and be doubly cautious if you have clicked a link and it brought you to a page that requires you to login.
  • Don’t be fooled by names alone.  For more sophisticated phishing attacks, the criminals will take the time to study their targets.  They may put the name of someone you know in the email to make it look more trustworthy.
  • Think about what you are being asked to do.  If the sender is legitimate, do they really need what they are asking?  For example, a common tactic is for scammers to ask you to validate your account by logging in.  If you’ve received their email (and you already have to login to access your email) then what is the point of this supposed validation?
  • Phishing doesn’t just happen over email. It can be over the phone as well.  If someone calls saying they are from your Bank (especially when they don’t even mention the NAME of the bank), then you don’t verify who you are to them, they called you.  Ask them to verify who they are.  If in doubt, hang up and call the business or institution directly (through a number on your statement/card/etc.)