Zoom & Security: Keep Calm & Zoom On

Featured

Written by Steve Niedzwiecki & Tara Schaufler

Many of our campus partners have reached out with questions about the security and privacy of Zoom. With our current COVID-19 environment, the use of this product at Princeton has increased exponentially as well as throughout the world. They’ve reportedly gone from a February 2020 daily peak of 10 million users to over 200 million daily users in March. Zoom is generally thought to be the clear, current leader for online meetings.Their previous corporate focus has now evolved to supporting online education around the world as well as personal use to help many of us connect with our friends. However, the extremely rapid growth of the use of the product has led to increased scrutiny of the security and privacy of Zoom. Some issues have been identified to which Zoom has responded or is in the process of responding.The good news is that Zoom has committed to continue to work on these issues. In fact, Zoom’s CEO recently announced that Zoom will forgo work on any new features over the next 90 days to focus solely on improving the platform’s security and privacy protections. This April 1st blog post summarizes the issues they’ve had, what they’ve done to correct them, and how they plan to proceed. Additionally, Zoom has prepared a web page related to all things security. At Princeton, we’ve prepared a Zoom Best Practices knowledge base article that includes information about using the platform securely (like preventing “Zoombombing” attacks). This updated article includes some suggested mitigations against recently identified security issues: 

  • A very recently announced vulnerability with Zoom for Windows (3/31/20) involves its chat function and links sent in chat. We recommend, as a best practice, not to click on links in chat particularly when you don’t know all of the participants in the Zoom session. A malicious link in chat which connects to another computer could be used to execute dangerous programs and compromise your computer.
  • The Zoom software installer for Macintosh has been criticized (3/30/20) in that it potentially enables malicious actors to modify the installer in ways that would put systems at risk. The best way to mitigate this risk is always to download the Zoom client directly from Zoom itself.

Princeton’s Information Security Office has been monitoring Zoom’s security and privacy posture, and although they’ve recently had some significant issues worthy of concern, we are pleased with the company’s responsiveness.

Other Princeton Zoom Resources:

Posted in Uncategorized

“Are you available?” Email Phishing Scams on the Rise

email scam

Many individuals on our campus have reported suspicious emails from someone impersonating a Princeton colleague.  These messages typically ask a question and look for a reply in an attempt to start a conversation. Once the individual engages the recipient in a conversation, they often ask for personal information or for them to purchase gift cards.  Please be on alert, as a small number of individuals on our campus have recently fallen victim to similar social engineering attacks.

Here’s an example of a recent message received at Princeton:

From: [Spoofed Princeton User]
Sent: Monday, January 20, 2020 12:14 PM 

Subject: Quick Request

Are you available?

In this example, this initial message was harmless, but subsequent messages asked for the recipient to purchase gift cards.

What can you do to stay safe?  

Examine incoming messages carefully. If something seems suspicious, check the Phish Bowl (https://princeton.edu/phish-bowl) to see if it’s been reported to OIT.  If it has not been reported, forward the message to phishbowl@princeton.edu.  Please be on alert and follow these tips:

  • Look carefully at the sender’s address.  They may try to trick you with something that looks like a princeton.edu email address (e.g. “tara.schaufler.princeton@gmail.com).
  • Question unusual requests, such as the sender is busy and needs your help right away.  An example we’ve seen is the sender asking the recipient to purchase gift cards, scratch off the codes, and email the information back to them.
  • Think twice before clicking on links or attachments.
  • Never give away personal information in an email.
  • Look for telltale signs of phishing emails, such as a blank “to” field, suspicious “from” field, odd or generic salutations, and spelling and/or grammar errors.

We all play an important role in keeping our campus safe.  Thank you for continuing to be our guardians at the gate!  

Posted in Uncategorized

‘Tis the Season: InfoSec Holiday Open House & Posterboard Session

On Thursday, December 12, the Information Security Office gathered from 2-5 PM to host a holiday open house and posterboard session. And what a great event it was!  I mean, what’s not to like?  There were festive beverages, snacks, and opportunities to learn.  All of that, and a lovely location as well. The event was held at Prospect House on the Princeton University campus.

Charged with keeping our campus safe from cyber criminals, the Information Security Office believes that arming the campus community with knowledge makes all the difference. At this event, attendees had the opportunity to enjoy festive nosh while viewing information security-related posters. If you missed this event, check out the links and images for all eight posters below.

Interested in learning more? The Information Security Office at Princeton offers many opportunities to learn throughout the year. For additional information security resources, visit our website. We look forward to seeing you at upcoming events.

Posted in Uncategorized

The InfoSec Team Can’t Do It Alone—Cyber Security Is Everyone’s Responsibility

Happy October and National Cyber Security Awareness Month (NCSAM)!

Protect Yourself Protect Princeton logoDid you know? In 2017 the education industry (which includes K–12 and higher education institutions) had 7,837,781 records breached in 35 events. To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)

More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see figure 1). These breaches were arguably preventable through basic information security protection safeguards.

bar chart showing types of security breaches among educational institutions
Figure 1. Types of security breaches among educational institutions

What can you do every day to protect data? The Princeton Information Security Office (ISO) believes YOU are our guardians at the gate and can actively help us protect data!  There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a “one size fits all” blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled.  Here’s how you can help:

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don’t hesitate—do it immediately.
  • Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Create strong and unique passwords: Create unique passwords for all personal and work accounts. In today’s environment, one of the best ways to create a strong password is to use a password manager (Princeton offers LastPass password manager free of charge to all students, faculty, and staff). A password manager will alleviate the burden of having to memorize all the different complex passwords you’ve created by managing them all in one vault and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of mistakes where sensitive information is posted publicly, mishandled, or sent to the wrong party. Be sure you are familiar with Princeton’s data classifications.  Visit our Protect Our Info website for details.

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department are looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include the ISO at the beginning of the project or contract process to help ensure that data are properly protected. Visit our Architecture & Security Review (ASR) webpage for more information.

For additional tips and to learn about upcoming events, visit our NCSAM webpage.

Portions of this blog were provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

LastPass Password Manager – What’s all the hype?

Tara Schaufler LastPass PosterHave you heard about LastPass password manager?  I hope so!  It’s now free to students, faculty, and staff. I have to admit that I didn’t use a password manager until I started working in the Information Security Office, but now I’m hooked.  I’m no longer scrambling to find passwords, and my password hygiene has improved.  

We all have a method of managing our passwords.  Perhaps you store passwords in a notebook, an Excel spreadsheet, in a web browser, or you simply reset your passwords a ton of times because you forget them.  The reality is that these methods are not secure. LastPass is built with security in mind. LastPass uses the same encryption algorithm that the U.S. Government uses for top-secret data. This encrypted data is unreadable to LastPass and to everyone else without the Master Password, which you create and set.  Now, if you’re anything like me, you’re probably thinking is this REALLY secure? I’m skeptical of basically everything electronic, so even with the excellent data that supports the security of this product, I’ve chosen to save everything in my vault except the passwords for a few sensitive accounts.  I keep those passwords in my head and in my physical safe at home. But I know plenty of security folks that keep all of their passwords in LastPass, I just have issues. 

All of my issues aside (and I assure you I have many), LastPass has definitely been a game changer for me.  I love having all of my passwords at my fingertips. Benefits I love include:

  • I now create better passwords using the built-in password generator. No more thinking up long, strong passwords because LastPass does it for me.
  • I don’t have to remember passwords because LastPass fills in the fields for me.
  • I create secure notes to capture information that I have trouble remembering but need to keep secure (like the PIN # for my Princeton travel card).
  • I’m organized!  My passwords are at my fingertips thanks to the LastPass browser extensions and mobile app for my phone.
  • And it’s free!  LastPass Enterprise is free for faculty and staff to store passwords used for University business, and free LastPass Premium accounts are available to store personal passwords.  The two vaults can be easily linked for convenience. If you leave the University your Enterprise account will go away, but your LastPass Premium account remains for you to use. Students are also eligible for free LastPass Premium accounts.  

Not convinced yet?  Here are some quotes from users on our campus:

“LastPass gives our team the ability to share administrative system information securely and is accessible from anywhere.“

“Using LastPass means all my passwords now will be strong, unique, and available everywhere.  One New Year’s resolution taken care of.”

“LastPass, puts the zip, zap, zoom in password management.”

Interested now?  Go to https://princeton.edu/lastpass to learn more!  You can also join me for one of our upcoming classes at Frist Campus Center on:

  • September 27 at 2PM or
  • November 7 at 10AM

Visit the Learn Center to enroll.  I look forward to seeing you!

Posted in Uncategorized

Keeping Tabs on Mobile Devices

mobile devicesWith an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.

  • Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you’ll be able to identify and report exactly what information is at risk. (See Good Security Habits for more information).
  • Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
  • Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. (See Choosing and Protecting Passwords.) Do not choose options that allow your computer to remember your passwords.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
  • Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer’s hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Verify app permissions. Don’t forget to review an app’s specifications and privacy permissions before installing it!
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities. (See Understanding Patches and Software Updates.)

What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your device contained sensitive institutional or student information, immediately report the loss or theft to your organization so that they can act quickly. If you suspect that Princeton University information has been exposed to unauthorized individuals either through a lost or stolen computer/storage media or through a computer compromise, immediately report the incident to the OIT Support and Operations Center Help Desk at 8-HELP or helpdesk@princeton.edu.

Blog content provided by Educause (www.educause.edu/securityawareness).

 

Posted in Uncategorized

Shop Safe Online, Even on Black Friday!

The holiday season is the perfect time for cybercriminals to take advantage of unsuspecting online shoppers. When you go to the grocery store or local shop, it’s habit to grab your reusable bags, lock the car, and make sure you’ve safely put away your credit card or cash before heading home with the day’s purchases. Similar precautions need to be taken when you’re shopping online from the comfort of your own home. If you make these simple precautions regular online shopping habits, you’ll be protecting your purchases and personal information.

The National Cyber Security Alliance recommends following these basic steps so you’ll be ready to cybershop safely and securely.

  • Lock down your login. One of the most critical things you can do in preparation for the online shopping season is to fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like e-mail, banking, and social media.
  • Keep clean machines. Before searching for that perfect gift, be sure that all web-connected devices—including PCs, mobile phones, smartphones, and tablets—are free from malware and infections by running only the most current versions of software and apps.
  • Shop reliable websites online. Use the sites of retailers you trust. If it sounds too good to be true, it probably is!
  • Conduct research. When using a new website for your holiday purchases, read reviews and see if other customers have had a positive or negative experience with the site.
  • Personal information is like money: value it and protect it. When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember that you only need to fill out required fields at checkout.
  • Get savvy about Wi-Fi hotspots. If you are out and about, limit the type of business you conduct over open public Wi-Fi connections, including logging in to key accounts, such as e-mail and banking. Adjust the security settings on your device to limit who can access your phone. If you must use open Wi-Fi connections, connect to a virtual private network (VPN) first.
  • Check the address bar. Look for the green lock icon and https:// in the URL before using your credit card online.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Are You Ready for Ransomware?

What Is Ransomware?

Ransomware is a type of malicious software that encrypts your files. Often, the only way to decrypt and gain access to the files is by paying a “ransom” or fee to the attackers. The attackers might provide the decryption key allowing you to regain access to your files. Ransomware may spread to any shared networks or drives to which your devices are connected. We are continuing to see ransomware attacks and expect their frequency to increase.

How Can I Get Infected with Ransomware?
Common vectors for ransomware attacks include e-mails with malicious attachments or links to malicious websites. It’s also possible to get an infection through instant messaging or texts with malicious links. Antivirus may or may not detect a malicious attachment, so it’s important for you to be vigilant.

How Can I Protect Myself Against Ransomware?
There are two steps to protection against ransomware:

  • Preparation. Back up your information regularly. Once a ransomware infection occurs, it’s often too late to recover the encrypted information. Your research project or other important information may be lost permanently. For more information on backups, visit RIT’s best practices web page.
  • Identification. Ransomware typically appears as phishing e-mails, either with links to malicious websites or infected files attached. You might also see a ransomware attack perpetrated through a pop-up telling you that your computer is infected and asking you to click for a free scan. Another possible vector is malvertising, malicious advertising on an otherwise legitimate website.

Probably the Most Important Steps You Can Take to Prepare…

  • Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives (potentially including connected cloud drives such as Dropbox), it’s important to back up your files regularly to a location that you’re not continuously connected to. To determine the backup capabilities available to you contact your IT service desk.
  • Ensure that you’re able to restore files from your backups. Again, work with your IT support personnel to discuss how to test restore capabilities.
  • Ensure that antivirus/antimalware is up to date and functioning. Antivirus may detect malicious attachments.
  • Ensure that you’re keeping your system (and mobile devices) up to date with patches. If you’re prompted by your computer or mobile device to accept updates, accept them at your earliest convenience.
  • Don’t do day-to-day work using an administrator account. A successful ransomware attack will have the same permissions that you have when working. (If you’re not using an account with administrator privileges, the initial attack may be foiled.)

What Do I Do If I Think I’m Infected?

  • Report the ransomware attack to your service desk immediately.
  • Isolate or shut down the infected computer. (If you’re on Wi-Fi, turn off the Wi-Fi. If you’re plugged into the network, unplug the computer. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or shared drives.)

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Beef Up Your Physical Security

With the threat of hacking, malware, phishing, and other digital threats constantly looming, it can be easy to overlook the importance of physical security best practices. Here are a few helpful resources and tips:

  • Prevent tailgating. In the physical security world, tailgating is when an unauthorized person follows someone into a restricted space. Be aware of anyone attempting to slip in behind you when entering an area with restricted access.
  • Don’t offer piggyback rides. Like tailgating, piggybacking refers to an unauthorized person attempting to gain access to a restricted area by using social engineering techniques to convince the person with access to let them in. Confront unfamiliar faces! If you’re uncomfortable confronting them, contact campus safety.
  • Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing away. Organizing campus-wide or smaller-scale shred days can be a fun way to motivate your community to properly dispose of paper waste.
  • Be smart about recycling or disposing of old computers and mobile devices. Make sure to properly destroy your computer’s hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
  • Lock your devices. Protecting your mobile devices and computers with a strong password or PIN provides an additional layer of protection to your data in the event of theft. Set your devices to lock after a short period of inactivity; lock your computer whenever you walk away. If possible, take your mobile devices and/or laptop with you. Don’t leave them unattended, even for a minute!
  • Lock those doors and drawers. Stepping out of the room? Make sure you lock any drawers containing sensitive information and/or devices and lock the door behind you.
  • Encrypt sensitive information. Add an additional layer of protection to your files by using the built-in encryption tools included on your computer’s operating system (e.g., BitLocker or FileVault).
  • Back up, back up, back up! Keeping only one copy of important files, especially on a location such as your computer’s hard drive, is a disaster waiting to happen. Make sure your files will still be accessible in case they’re stolen or lost by backing them up on a regular basis to multiple secure storage solutions.
  • Don’t leave sensitive data in plain sight. Keeping sensitive documents or removable storage media on your desk, passwords taped to your monitor, or other sensitive information in visible locations puts the data at risk to be stolen by those who would do you or your institution harm. Keep it securely locked in your drawer when not in use.
  • Put the laptop in your trunk. Need to leave your laptop or other device in your car? Lock it in your trunk (before arriving at your destination). Don’t invite criminals to break your car windows by leaving it on the seat.
  • Install a remote location tracking app on your mobile device and laptop. If your smartphone, tablet, or laptop is lost or stolen, applications such as Find My iPhone/iPad/Mac or Find My Device (Android) can help you to locate your devices or remotely lock and wipe them.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized

Spring Cleaning – Recycling & Donating Old Devices

As you upgrade your personal devices to the newest options, do you recycle the old equipment? Being green shouldn’t make you blue. Take steps now to remove anxiety later that forgotten sensitive files on your last laptop could become a source of embarrassment or identity theft. Trying to securely delete data at the time you decommission equipment can turn into a multi-hour chore and a source of stress, but it doesn’t need to be that way.

Make sure saved copies of your tax filings, personal photos, and other sensitive files can’t be retrieved by the next person with access to your computer’s drive by making the drive unreadable to anyone else. Dragging files to the trash or recycle bin doesn’t remove data—it just removes the retrieval path to the file and marks that storage space available for other data to occupy sometime in the future. Your pirate treasure is still buried, but the map is missing. “Secure file deletion” functions go a step further to overwrite the data in those locations with random bits immediately.

The introduction and growth of solid state drives in consumer electronics, however, makes overwriting the data in these spaces less dependable than in the standard hard drives of the past. Today’s “delete/overwrite” protection comes most reliably from full disk encryption (aka whole disk encryption), which encrypts all data on the machine—including the operating system and temporary files you weren’t even aware you created. Follow the motto of a famous infomercial to “set it [full disk encryption] and forget it [the password/key]!” Even if someone removes the drive and puts it into a different machine, the encryption remains in place.

  • Plan A: Encrypt the full disk now using built-in functionality. Create a strong passphrase or password, since this becomes the decryption key! Everything will be encrypted, including the operating system, so you will have to “unlock” the encrypted drive with your personal passphrase every time you start or boot up your computer. Save the generated recovery key somewhere secure (like a password manager or printout stored in a secure office), in case you forget your password and need to access the data on that machine. Here are instructions for some of the most common built-in encryption functions:
  • Plan B: If full disk encryption wasn’t a built-in option, find a free or fee version of full disk encryption software that works with your operating system and personal capability. Check your favorite review sites or try Slant for recommendations.
  • Failsafe: Hammer time! Remove and destroy the drive (Geek Squad offers a three-minute tutorial on hard drive disposal). Most retail stores that accept computer donations for safe recycling will remove the drive and give it to you for secure destruction—just ask them to do that. Smash it, drill it, or hold onto the drive until there’s a secure shredding event at work or in your community.

Blog content provided by Educause (www.educause.edu/securityawareness).

Posted in Uncategorized