Multi-Factor Authentication - World Password Day

Now that you've learn how to create a secure password. Let's learn about more security techniques available to us. 

Hypothetically, let’s say a malicious actor manages to crack your safe and secure password. Wow! Sounds like it's game over, right? 

In theory, the hacker will now have access to your ESU account, important files and emails. Along with your personal information and the the ability to edit your account. Moreover, if you had access to other people’s personal information (by way of your job functions), the attacker will also be able to access that information!

But, what happens if you have Multi-Factor Authentication (MFA) enabled? 

The hacker, who has your password, would now also need your second factor to actually log into your account. That just tipped the scales dramatically in your favor.  Even though your password is in the hand of the attacker, your second factor, usually a cell-phone application, is safe and sound. 

When the attackers try to log in, all they will get is a prompt for the 2nd factor, which they will not have. WIN for the Home Team!

So, while using MFA to log into your account adds an extra step, it is huge in keeping our information out of the wrong hands! It is why many companies are now moving to MFA, to secure accounts against fraud and identity theft.

ESU has begun deploying MFA to our campus staff and faculty and will continue to increase and improve our MFA options as the year progresses. As we do so, please remember that we are striving to keep your information out of the hands of all malicious actors that wish us harm.

Here are some things to remember regarding MFA options:

1. Always opt in for MFA for accounts where it is offered, especially those that contain personal or financial sensitive information.
   
   
2. When selecting an MFA option, we recommend using a smart-phone application (such as Microsoft Authenticator) as the most secure option.  These applications will typically allow you to enter a code or use a “push notification”. Both are secure, but the push notification is the most convenient as it asks you to verity that you just attempted to log in.
   
   Selecting the option 'yes' (or checkmark for some apps) and you are good to go.
   
   
3. If you use the text or call option instead, always remember to select a device or phone number that you will have access to when logging into your account.

Remember, a password without MFA is like a car without a seatbelt. Sure the car offers some protection, but if the worst happens, you will be glad you had that seatbelt on!

One Password, Slightly Used? - World Password Day

PASSWORD RE-USE:

Let’s say you have formulated the most perfect password that is possible to construct. It is easy to remember, a mile long, and has all the available character types. Now you’re set to use it for all of your accounts, right?

Not so fast. Even the most perfect password can be vulnerable to sophisticated attacks against the company that runs the servers that your account uses. In some recent high-profile cases, servers have been attacked and user account information siphoned out.  So even doing all the right things doesn’t mean a determined hacker can’t figure out what the password is (through no fault of your own).

Yikes! Now what? If this happens to you it could have serious consequences that you could not have avoided. But what if that perfect password that just got hacked is used for everything in your life?  All of a sudden, the attacker has access to EVERYTHING! Your social media accounts, your school accounts, even your bank account!

That is why we recommend you never “re-use” a password. If you have a separate password for each account, it won’t prevent a determined hacker from getting into one account, but it will prevent that same attacker from getting into everything.

But that’s a lot of passwords, right. “How am I going to remember all of those?!”

    1. As we covered in or last Daily Download, make your long passphrases something memorable. You can use that as a basis for a series of passphrases (a theme) and use significant variations on that theme (Remember, if they are too similar then it won’t be any better than using the same one for everything).

    2. Alternately, you can use a password manager. These are applications that can manage multiple account passwords for you. All you, then, have to remember is the one password for that application and it will do the rest. A Google search on “password manager” will give you a number of applications to choose from, each with their strengths, weaknesses, and prices (some are free). If you have questions, ask IT Security – we’ll be glad to help you decide on a suitable solution.

    3. Finally, avoid the temptation to allow your web-browser to remember your passwords. These are less secure than a password manager. Hackers may be able to “harvest” those passwords if you ever get malware on your computer (which is a whole topic for another time).  Besides being less secure, they only work when you are using that browser to access your accounts and they may forget all your passwords in certain circumstances.

Strength in Numbers (or Characters?!) - World Password Day

PASSWORD STRENGTH:

We all know the drill: enter a username and password to access your accounts. But are you aware that, in many cases, your password is the only thing standing between your important on-line accounts and a malicious actor trying to get in and steal your information, your identity, and your money?  That is why having an effective password is so important.

So, what constitutes an “effective” password?

Well, a password is “effective” if it keeps bad actors out. But to do that, you need to know what you are up against.  These bad actors have at their disposal many tools that try to defeat your password. One is a list of maybe the 10 million or so most common or previously hacked passwords, including popular variations of some of the more common. Adding a zero in place of the “o” in “password” will not be any more secure. They also use “dictionary” attack tools that look for actual words or variations of words (like the zero vs “o” above).  Finally, if those fail, they use tools to rapidly guess passwords one character at a time. So just using any a random collection of characters, if too short, will still allow the hacker to guess the password in a reasonable amount of time.

How do I have a strong password?

1.      Make it long – 14 or more characters. This dramatically slows down the character-at-a-time guessing technique. 

2.       Use a “pass-phrase” instead of a “password”.  String words and characters together in a way that is meaningful to you (and therefore easier to remember) but impossible to guess (hint: don’t use information about yourself that may be available on the internet).

3.       Include as many types of characters as you can. For examples, use lower and uppercase alphabetic characters, numbers, and special characters as allowed by the application or account. Some include minimum requirements to include, for example, 3 of the 4 types mentioned here.

Finally, if you discover that a password you currently use is on the weak side, change it!  Most sites and accounts will let you change your password whenever you like.

If you want to test your password to see if it has been used in a data breach, try haveibeenpwned.com. Their database consists of over 600,000,000 passwords that have been obtained from data breaches.  To test your password strength to see how long it would take a hacker to guess it, go on over to security.org.

Designing the Perfect Password - World Password Day

Are YOU still using that same password you created way back in day?

Pets Name? Kids’ names? Birthdates? Anniversaries? The word 'password'?     

Today those tactics no longer work. With data breaches at an all time high, we need to protect ourselves more than ever! Just a few small things can drastically help protect all your important online accounts. Here is a few you can try!

Create Robust Passwords: Make it difficult for Hackers to guess. Make your passwords contain at least 10 characters, have BOTH a capital and lower-case letter, and one or more symbols/numbers. (i.e., !@#$%^&*() 123456789). Use a “pass-phrase” instead of a password to make it longer and more memorable to you but even harder to guess.

Use Different Passwords: Make sure to use a different password for every account you have. If you use the same password for your personal e-mail, work e-mail, Facebook, Twitter, bank account, etc., and just one of those sites were to be compromised, the attacker would then have the “Golden Key” to all of your accounts. Do not make it that easy for them!

Always opt for Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA):  It is very important to make our data as secure as we can.  Having a second layer of security in place to protect us is never a bad thing! That way, even if your password is obtained by a bad actor, they still won’t have access to those accounts protected by a 2^nd factor.  Most companies now offer MFA or 2FA when you sign up for their services. When available always OPT IN! If you already have an account that is not protected by these, check back every so often. More and more companies are enabling these features.

Change your password every few weeks: The reason for changing your password on a regular basis is to protect you and your data from ongoing password attacks. With today’s hacking tools, guessing a simple password (a name, word, or common pattern) trivially easy. But even a good password can be guessed eventually, but it does take time.  Also, when hackers compromise an account, they may not always act right then and there, some continue to silently watch for as long as the password remains the same. When you change your password regularly it does not allow the hackers much time to act.

Do NOT Tell Anyone Your Password:  Your Passwords are Personal and Non-transferable. Do not give anyone the “Golden Key” to your information. Protect it like you would a safety deposit key!

May 6 is World Password day. We will post information and helpful tips all week, so watch for more information!

April Apple Event: Key Take-Aways and Major Announcements

 

This month apple hosted it’s spring Apple Event to announce updates and some new products for 2021. This is a brief overview of new products, facelifts, and what to expect in the upcoming year.

 

Going Green and New Software

Apple started off the show talking about their achievements and future goals in carbon-neutrality. At the corporate level, the company has reached their goal of 0 net carbon output, a huge feat for the tech powerhouse. However, CEO Tim Cook announced their new, even loftier goal: for Apple’s entire supply chain to reach 0 net carbon output by 2030. Given the corporations massive scope this would be a massive achievement in carbon neutrality.

Apple also announced updates for their Apple Card, giving new features geared toward use between multiple people and families. These features include and ability to build multiple lines of credit and permit use by children above the age of 13. Apple also announced the redesigned Podcasts app. The new look allows for shows to create a custom home page and create channels of similar podcasts. They also announced the addition of a subscription service where content creator can offer kickback for a monthly subscription. This service would compete with other services like Patreon.

 

AirTag

Apple announced the new AirTag as a solution for those who have trouble keeping track of just about anything. The new product uses the Find My app to track anything you can put a keychain on. Keys, wallet, and even dog collars will now be easily findable through your apple devices. AirTags are currently available for preorder and will launch on Friday, April 30 at a price of $29 or 4 for $100

 

The Facelifts

Apple touched on a few products that will be receiving some minor updates. These include the iPhone 12’s new purple color option. Apple TV 4K now has the option to carry the A12 chip supporting high frame rate HDR and a redesigned Siri remote. Missing from the events lineup was anything to be said about AirPods, Apple Watch, but the main event this spring was the iMac and iPad Pro

iMac Overhaul

The M1 chip has come to the iMac and now has room to unlock it’s true potential. The new iMac has been redesigned to allow the flagship Apple chip to stretch out its legs and run. In essence, everything got updated for this years iMac. The new, lower profile logic board allows for a thinner desktop and smaller fans, decreasing wasted desk space and quieter fans. The new screen now displays at 4.5K TruTone in the 24” model which now also sports a 1080p webcam and improved microphones and speakers to make online calls and conferences the highest quality they’ve ever been. Apple also offers a 2TB model, 7 different colors, and new keyboards that will support TouchID. The iMac will be available to order April 30^th and will start at $1,299.

 

iPad Pro

This years iPad Pro feels like apple trying to run away with the performance tablet game. iPad will now support the Apple M1 chip and, like iMac, is seeing upgrades in every performance field. If the new iPad can deliver on all of its promises, it looks to be the most powerful tablet in the game, comparing better to most notebooks as opposed to other tablets. iPad Pro will now support thunderbolt, a long awaited arrival, and USB 4 allowing it to connect to 6K displays. It also receives the annual camera updates but now ill have increased abilities for motion capture and AR. Pre-orders will be available April 30^th and pricing starts at $799 for the 11” model and $1,099 for the 12.9”

Fake Instagram Account Scamming Students Impersonating Union Activities Council

We have come across reports of fake Instagram accounts impersonating UAC (Union Activities Council) with the handles @uac_of_esu__ and @uac_of_essu.

These fake instagram accounts followed the followers of the original UAC account:  @uac_of_esu and sent messages and direct message like the one below containing malicious url. 

Please note that this is a scam.

If you fell victim to this scam and clicked on the links and/or provided your credit card details - please change your passwords immediately and also contact your credit card company to avoid fraudulent charges on your account.

myIT Revamped!

We started myIT 4 years ago as a place to find how-to articles, basic information about ESU systems and training opportunities.  We have been working the last couple of years to broadly improve not only the site, but our processes as well.  We are proud to offer our new myIT site which has even more self-service options and more knowledge base articles than ever before.

We started our journey by looking at IT Service Management as a way of ‘doing business’.  That led to acquiring a special software tool that manages those processes.  With myIT you can report an issue or request a service, view IT projects, and find answers to questions along with step-by-step how-to articles.  You can view the status of your ticket requests, reply to tickets, view service outages and more.

In Hornet365, from the Students, Faculty, or Employees page, just click on the MY IT link.  There is a robust search engine to look for services and knowledge. You can view the knowledge base articles and all the other information without logging in.  If you want to submit a work order you will sign in using your university username and password.  Once you have submitted a ticket, you will get a confirmation email, and when tickets are updated you will receive emails. 

We are excited to bring you this new service and encourage you to explore all the parts of our new myIT!

Data Privacy Day

First, some sobering facts:  At least half of all adults in the USA have had their personal information exposed through hacking and data breaches. Most folks feel they have lost control over how personal information is collected and used by companies. Many have just given up trying to control this situation, but most want to do more to secure their personal information online. 

So, for those that want to know more about how to protect their privacy online, here are a few tips: 

Think before you act.  Phishing scams depend upon you reactive impulsively to threats or emergencies. Any email requiring you to log into an account or click a link because of imminent danger should be re-read with a skeptical eye. 

Be careful what you post.  What you post on-line will live somewhere on the internet even if you ‘delete’ it. Many areas of society used social media posts as a form of character reference. 

Be careful who you trust.  Anyone on the internet can say anything. Don’t automatically assume that someone is who they say they are or that they can be trusted.  This is especially true for social media and children. Predators love to use social media to become ‘friends’ with children and then prey on them. 

Do a ‘security settings’ checkup.  Every application we use online has a set of security and privacy settings. It will pay big dividends to learn about those settings and how to prevent unwanted sharing of information. 

Get two steps ahead.  2-step verification or multi=factor authentication is absolutely the best defense against online account compromise.  It uses something in addition to passwords to log into your account.  If an online service provides the option to use 2-step verification, use it.  It is usually easy to set up and gives you options that provide the best convenience for your situation. 

The internet has revolutionized our lives in many ways, but it has also introduced many serious risks. Be smart about your on-line life and the internet will work for you instead of against you. Learn more at staysafeonline.org. 

  

Your Information Security Team