Category Archives: Security

Resetting Your Password Will Be Easier Than This.


You have disabled JavaScript or you have an old version of Adobe’s Flash Player. Download the latest version of Flash Player.

UPDATED: Protect the Data on Your iDevice (iPad, iPhone, etc.)

There are three easy actions you can take to immensely enhance the data protection capabilities of your “iDevice” and your investment in it.  These are particularly important if you access any College or personal data with your device.

1) Use an alphanumeric passcode

iPads and iPhones can actually encrypt the data they contain!  However, to utilize this capability, a passcode has to be set.  Although a four-digit passcode will minimally suffice (there’s software available to easily crack these), the best option is to enable the use of alphanumeric passcodes.  This is done by going into Settings and then selecting General in the Settings list.  Touch the ‘Passcode Lock’ item in the right hand column.

If the Passcode Lock is not yet enabled, select the ‘Turn Passcode On’ option and set a passcode.  Then, next to ‘Simple Passcode’, select Off.  You will need to enter your existing passcode and then you will be presented with a keyboard to enter a new alphanumeric passcode (be sure to also save it somewhere safe in case you forget it).

Once enabled, whenever you turn your iDevice on, you’ll need to enter your passcode to access it.

2) Enable the free device locator with the “Find My iPhone” app

This is a great free app/service that allows you to locate your missing iDevice if misplaced or stolen.  In addition to showing where your device is on a Google map, you can also remotely lock the device, play a sound, display a message or even wipe all of its data.  (note that Location Services, in Settings, does need to be enabled for this to work, see below)

Start by going to the AppStore and downloading the “Find My iPhone” app (it works for iPod and iPad too).  After installing the app and starting it, you will be asked for your Apple ID and password (see below).

Once you log in, your application will begin locating your iDevice and you can view its location on a Google map.

Once your device is located, you can have it play a sound (great if you misplace it in a home or building), display a message and even wipe its contents.

Now if you should unfortunately lose or misplace your iDevice, you can run the Find My iPhone app on a different iDevice, log in with your Apple ID and you should be able to locate your lost iDevice along with the option of taking additional actions.

3) Encrypt your iTunes backups

You’re already backing up your device to your Mac or PC.  However, that data may often include sensitive or personal information.  The backup will also contain login credentials for apps, websites, email and even VPN.  In many cases, this data can be extracted from the backup files.  To avoid this, you should encrypt your backup files.  This is done automatically for you every time you backup via iTunes.  Within iTunes, and with your device connected to your computer, locate the options for the device (see below) and click on ‘Encrypt iPad backup’.

Following these quick three steps will go a long way to protect your iDevice and the data on it.

Java – The Hacker’s Best Friend

Some of you may have heard that a significant security vulnerability was disclosed recently that affects pretty much all versions of Java. Oracle (who now owns Java) seemed to be dragging their feet on providing a fix until they felt some heat from the U.S. Government. A fix was made available today but only for users of Java version 7. Java runs on all operating systems so Mac users are impacted along with PC users.  Note: there won’t be a fix available for Mac users with Snow Leopard or earlier so your best option is to totally disable Java.

How do you know if you have Java installed?
Click on this link to find out: http://www.java.com/en/download/installed.jsp

If you don’t need Java (not to be confused with JavaScript), you should uninstall it or, for Windows, disable browser use in the Java Control Panel (see http://www.java.com/en/download/help/disable_browser.xml). In addition to the Department of Homeland Security, many security industry experts are recommending that Java be disabled immediately (fix or no fix).

Unfortunately, a number of us require Java for applications that we use at work (including for web apps like GoToMeeting and WebEx).  So, if you absolutely must keep Java installed, you should strongly consider disabling Java in all your browsers except the one that you access Java-based applications with.  Use that one browser just for your Java-based applications.  Use your other browsers, the ones with Java disabled, to access the Internet.

Below are steps to disable Java in all browsers except Internet Explorer (so IE is a good choice for the browser where Java is left enabled).

Firefox
1.    Click on the Firefox tab (or Tools) then and then select Add-ons
2.    In the Add-ons Manager window, select Plugins
3.    Click Java (TM) Platform plugin to select it
4.    Click Disable (if the button displays Enable then Java is already disabled)

Safari
1.    Choose Safari Preferences
2.    Choose the Security option
3.    Deselect Enable Java
4.    Close Safari Preferences window

Chrome
1.    Type about:plugins in the browser address bar.
2.    In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
3.    Close and restart the browser to enable the changes

While you’re diligently dealing with this Java mess, you should go ahead and update your installed Adobe products (Reader, Flash and AIR) and install the most recent Microsoft patches (for Windows machines).  Significant security vulnerabilities in these software packages were also patched recently and should be installed as soon as possible.

With all these patches needing installation for various applications, it’s difficult to keep track.  I still recommend using BrowserCheck from Qualys (browsercheck.qualys.com) for what amounts to a quick, one-click assessment of missing security patches on your Mac or PC.  It’s free and there’s no registration required.  I’ve written about BrowserCheck previously here:

https://blogs.swarthmore.edu/its/2010/10/18/give-your-computer-a-fighting-chance/
https://blogs.swarthmore.edu/its/2011/06/15/update-your-browser-save-your-computer/
https://blogs.swarthmore.edu/its/2012/03/12/update-everything/

In summary, if you don’t need Java, get rid of it.
Nick

Online Shopping Tips

In time for “cyber Monday”, below is a quick video with some great tips (thanks to the folks at Kaspersky anti-virus) to protect your computer (and yourself) while shopping online this holiday season.  Most of the tips have been covered on this blog before but this is a great refresher.

Some of the tips include:

- keeping your operating system, anti-virus and browsers up to date with the latest patches/updates
- using known, reputable online retailers
- it’s better to use a credit card rather than a debit card
- if you’re using wireless, make sure it’s secure

Stay safe this holiday season and always!

Use Your Swarthmore Credentials Only at Swarthmore

Your Swarthmore “credentials”, the combination of your Swarthmore email address and password, should only be used with Swarthmore College on-line services.  These credentials should never be used for personal accounts at non-Swarthmore websites.

Websites are regularly compromised and users email addresses, along with passwords, are subsequently stolen.  A short list of popular websites that were recently compromised follows:

eHarmony
LinkedIn
Last.fm
Yahoo Voices
The Student Room
Formspring
Android Forum
techradar
Philips
Sony Entertainment
etc…

If you use your Swarthmore credentials for a non-Swarthmore account and that website gets hacked, your Swarthmore on-line services would then be readily available to the attacker(s).  Since lists of compromised accounts are often sold or simply pasted on-line for anyone to access, it’s only a matter of time before someone is using them to gain access to your account.

So, to keep your Swarthmore resources private, don’t use your Swarthmore email address and password at other third party sites.  Use different login credentials for all your personal accounts.

Think you’re not being stalked on the Internet?

Do you accept a lack of privacy as the price for being on the Internet?
For being connected to everything, everywhere?
Think you have a good idea of what sites are tracking your browsing behavior?

You might want to check out the recent TED talk by Gary Kovacs, CEO of Mozilla (developers of Firefox).  The video is only six minutes long and Gary succinctly describes the privacy infringements we all face daily.

Update EVERYTHING!

… please!!

Besides running up to date Anti-virus, one of the best ways to keep your computer from becoming infected (and then losing access to it while it gets re-imaged, etc.) is to keep your Operating System and applications up to date.  Over the past few weeks, most major vendors have updated their software.  If you run applications from any of the following vendors, you should upgrade that software as soon as you possibly can:

Microsoft Windows

Mac OS/X and iOS

Adobe Reader, Flash, Shockwave, etc.

Mozilla Firefox & Thunderbird

Google Chrome

Oracle Java

Apple Quicktime & Safari

Below are some past, but still very applicable, Security blog articles which discuss keeping your computer software up to date:

Give your computer a fighting chance

Update your browser and save your computer

Freshen up your java

As described in one of the articles above, browsercheck.qualys.com provides a quick one-stop check for determining your application versions and upgrading them.  And, you don’t have to sign up for anything!!

Phishing Video Reminder for the Holidays!

The following video serves as a reminder that this is the time of the year to be extra vigilant for phishing emails and other Internet scams.  This video is courtesy of some talented folks at the University of Rochester.

Bet you have trouble getting this tune out of your head…

How Do You Like Your Phish?

Phishing remains an ever popular way to get computer users to install malicious code or visit sites that they didn’t choose.  Many of the phishing attempts here at Swarthmore seem to fall into one of two categories:

-          Email account and/or password related
-          Government related (i.e., IRS, Federal Reserve, ACH, etc.)

It should be pretty easy to recognize the first category since Swarthmore ITS will never ask for your password in an email and will never disable your email account while actively enrolled at or employed by the college.

As for emails that appear to come from the U.S. Government, the question to ask yourself is whether the sending organization (typically spoofed) actually has your Swarthmore email address?  Also, would that organization really try to reach you by email without prior contact by you?!  I’m pretty sure the Federal Reserve Bank doesn’t maintain a list of Swarthmore email addresses!

Phishing emails typically try to elicit an immediate reaction from you (say, panic) so that you’ll click on the provided link or open the attachment without thinking.  Next time you get one of these emails, ask yourself the questions above and whether the situation makes sense.  And, if you’re still unsure, don’t hesitate to check it out with Client Services or me.

You also have a better chance of spotting faked URLs (web page links) in email if you display them as text rather than HTML.  For more on reading email as text, see this blog article.

There’s a whole page of prior phishing attempts against the community here and below are some recent phishing email Subject lines (note spelling errors):

Your Tax Return

Federal Tax Transaction Cancelled

Western Union transfer is available for withdrawl

Facebook Password Reset Email Issue

Treasury Inspector General for Tax Administration

Notice of Underreported Income

etc. , etc., etc.

Stay safe,
Nick

Critical Security Updates for Adobe Products

Adobe has released software fixes for a number of “critical” security holes in the following products:

At a minimum, many of us use the Flash and Shockwave players.  If you use any of the Adobe products listed above, at home or at work, you should update them as soon as you can.  This includes Windows, Mac and even Android platforms.

For a quick glimpse of Adobe products on your computer that may need updating (along with other applications) and the easiest way to update them, you can go to the following link:

https://browsercheck.qualys.com/
(note: you will need to install a browser plug-in and restart your browser the first time you use this service – but you don’t have to register!)

For more information on keeping your computer up to date, see my earlier post here.

Good luck and don’t forget to update!