- Always opt in for MFA for accounts where it is offered, especially those that contain personal or financial sensitive information.
- When selecting an MFA option, we recommend using a smart-phone application (such as Microsoft Authenticator) as the most secure option. These applications will typically allow you to enter a code or use a “push notification”. Both are secure, but the push notification is the most convenient as it asks you to verity that you just attempted to log in.
Selecting the option 'yes' (or checkmark for some apps) and you are good to go. - If you use the text or call option instead, always remember to select a device or phone number that you will have access to when logging into your account.
Thursday, May 6, 2021
Multi-Factor Authentication - World Password Day
Wednesday, May 5, 2021
One Password, Slightly Used? - World Password Day
PASSWORD RE-USE:
Let’s say you have formulated the most perfect password that is possible to construct. It is easy to remember, a mile long, and has all
the available character types. Now you’re set to use it for all of your
accounts, right?
Not so fast. Even the most perfect password can be
vulnerable to sophisticated attacks against the company that runs the servers
that your account uses. In some recent high-profile cases, servers have been
attacked and user account information siphoned out. So even doing all the right things doesn’t
mean a determined hacker can’t figure out what the password is (through no
fault of your own).
Yikes! Now what? If this happens to you it could have
serious consequences that you could not have avoided. But what if that perfect
password that just got hacked is used for everything in your life? All of a sudden, the attacker has access to
EVERYTHING! Your social media accounts, your school accounts, even your bank
account!
That is why we recommend you never “re-use” a password. If you have a separate password for each account, it won’t prevent a determined hacker from getting into one account, but it will prevent that same attacker from getting into everything.
But that’s a lot of passwords, right. “How am I going to remember all of those?!”
1. As we covered in or last Daily Download, make your long passphrases something memorable. You can use that as a basis for a series of passphrases (a theme) and use significant variations on that theme (Remember, if they are too similar then it won’t be any better than using the same one for everything).
2. Alternately, you can use a password manager. These are applications that can manage multiple account passwords for you. All you, then, have to remember is the one password for that application and it will do the rest. A Google search on “password manager” will give you a number of applications to choose from, each with their strengths, weaknesses, and prices (some are free). If you have questions, ask IT Security – we’ll be glad to help you decide on a suitable solution.
3. Finally, avoid the temptation to allow your web-browser to remember your passwords. These are less secure than a password manager. Hackers may be able to “harvest” those passwords if you ever get malware on your computer (which is a whole topic for another time). Besides being less secure, they only work when you are using that browser to access your accounts and they may forget all your passwords in certain circumstances.
Tuesday, May 4, 2021
Strength in Numbers (or Characters?!) - World Password Day
PASSWORD STRENGTH:
We all know the drill: enter a username and password to access your accounts. But are you aware
that, in many cases, your password is the only thing standing between your
important on-line accounts and a malicious actor trying to get in and steal
your information, your identity, and your money? That is why having an effective password is
so important.
So, what constitutes an “effective” password?
Well, a password is “effective” if it keeps bad actors out.
But to do that, you need to know what you are up against. These bad actors have at their disposal many
tools that try to defeat your password. One is a list of maybe the 10 million
or so most common or previously hacked passwords, including popular variations
of some of the more common. Adding a zero in place of the “o” in “password”
will not be any more secure. They also use “dictionary” attack tools that look
for actual words or variations of words (like the zero vs “o” above). Finally, if those fail, they use tools to
rapidly guess passwords one character at a time. So just using any a random collection
of characters, if too short, will still allow the hacker to guess the password
in a reasonable amount of time.
1. Make it long – 14 or more characters. This dramatically
slows down the character-at-a-time guessing technique.
2.
Use a “pass-phrase” instead of a
“password”. String words and characters
together in a way that is meaningful to you (and therefore easier to remember)
but impossible to guess (hint: don’t use information about yourself that may be
available on the internet).
3.
Include as many types of characters as you can.
For examples, use lower and uppercase alphabetic characters, numbers, and
special characters as allowed by the application or account. Some include
minimum requirements to include, for example, 3 of the 4 types mentioned here.
Finally, if you discover that a password you currently use
is on the weak side, change it!
Most sites and accounts will let you change your password whenever you
like.
If you want to test your password to see if it has been used
in a data breach, try haveibeenpwned.com.
Their database consists of over 600,000,000 passwords that have been obtained
from data breaches. To test your
password strength to see how long it would take a hacker to guess it, go on
over to security.org.
Monday, May 3, 2021
Designing the Perfect Password - World Password Day
Are YOU still using that same password you created way back in day?
Pets Name? Kids’ names? Birthdates? Anniversaries? The word 'password'?
Today those tactics no longer work. With data breaches at an
all time high, we need to protect ourselves more than ever! Just a few small
things can drastically help protect all your important online accounts. Here is
a few you can try!
Create Robust Passwords: Make it
difficult for Hackers to guess. Make your passwords contain at least 10
characters, have BOTH a capital and lower-case letter, and one or more
symbols/numbers. (i.e., !@#$%^&*() 123456789). Use a “pass-phrase” instead
of a password to make it longer and more memorable to you but even harder to
guess.
Use Different Passwords: Make sure to use a different
password for every account you have. If you use the same password for your
personal e-mail, work e-mail, Facebook, Twitter, bank account, etc., and just
one of those sites were to be compromised, the attacker would then have the “Golden
Key” to all of your accounts. Do not make it that easy for them!
Always
opt for Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA): It is very important to make our data as
secure as we can. Having a second layer
of security in place to protect us is never a bad thing! That way, even if your
password is obtained by a bad actor, they still won’t have access to those
accounts protected by a 2nd factor.
Most companies now offer MFA or 2FA when you sign up for their services.
When available always OPT IN! If you already have an account that is not
protected by these, check back every so often. More and more companies are enabling
these features.
Change your password every few weeks: The reason for
changing your password on a regular basis is to protect you and your data from
ongoing password attacks. With today’s hacking tools, guessing a simple
password (a name, word, or common pattern) trivially easy. But even a good
password can be guessed eventually, but it does take time. Also, when hackers compromise an account,
they may not always act right then and there, some continue to silently watch
for as long as the password remains the same. When you change your password
regularly it does not allow the hackers much time to act.
Do NOT Tell Anyone Your Password: Your Passwords are Personal and
Non-transferable. Do not give anyone the “Golden Key” to your
information. Protect it like you would a safety deposit key!
May 6 is World Password day. We will post information and
helpful tips all week, so watch for more information!
April Apple Event: Key Take-Aways and Major Announcements
This month apple hosted it’s spring Apple Event to
announce updates and some new products for 2021. This is a brief overview of
new products, facelifts, and what to expect in the upcoming year.
Going Green and New Software
Apple started off the show talking about their achievements and future goals in carbon-neutrality. At the corporate level, the company has reached their goal of 0 net carbon output, a huge feat for the tech powerhouse. However, CEO Tim Cook announced their new, even loftier goal: for Apple’s entire supply chain to reach 0 net carbon output by 2030. Given the corporations massive scope this would be a massive achievement in carbon neutrality.
Apple also announced updates for their Apple Card, giving new features geared toward use between multiple people and families. These features include and ability to build multiple lines of credit and permit use by children above the age of 13. Apple also announced the redesigned Podcasts app. The new look allows for shows to create a custom home page and create channels of similar podcasts. They also announced the addition of a subscription service where content creator can offer kickback for a monthly subscription. This service would compete with other services like Patreon.
AirTag
Apple
announced the new AirTag as a solution for those who have trouble keeping track
of just about anything. The new product uses the Find My app to track anything
you can put a keychain on. Keys, wallet, and even dog collars will now be
easily findable through your apple devices. AirTags are currently available for
preorder and will launch on Friday, April 30 at a price of $29 or 4 for $100
The Facelifts
Apple
touched on a few products that will be receiving some minor updates. These
include the iPhone 12’s new purple color option. Apple TV 4K now has the option
to carry the A12 chip supporting high frame rate HDR and a redesigned Siri
remote. Missing from the events lineup was anything to be said about AirPods,
Apple Watch, but the main event this spring was the iMac and iPad Pro
iMac Overhaul
iPad Pro
This
years iPad Pro feels like apple trying to run away with the performance tablet
game. iPad will now support the Apple M1 chip and, like iMac, is seeing upgrades
in every performance field. If the new iPad can deliver on all of its promises,
it looks to be the most powerful tablet in the game, comparing better to most
notebooks as opposed to other tablets. iPad Pro will now support thunderbolt, a
long awaited arrival, and USB 4 allowing it to connect to 6K displays. It also
receives the annual camera updates but now ill have increased abilities for
motion capture and AR. Pre-orders will be available April 30th and
pricing starts at $799 for the 11” model and $1,099 for the 12.9”
Monday, April 12, 2021
Fake Instagram Account Scamming Students Impersonating Union Activities Council
We have come across reports of fake Instagram accounts impersonating UAC (Union Activities Council) with the handles @uac_of_esu__ and @uac_of_essu.
These fake instagram accounts followed the followers of the original UAC account: @uac_of_esu and sent messages and direct message like the one below containing malicious url.
Please note that this is a scam.
If you fell victim to this scam and clicked on the links and/or provided your credit card details - please change your passwords immediately and also contact your credit card company to avoid fraudulent charges on your account.
Tuesday, February 2, 2021
myIT Revamped!
We started myIT 4 years ago as a place to find how-to articles, basic information about ESU systems and training opportunities. We have been working the last couple of years to broadly improve not only the site, but our processes as well. We are proud to offer our new myIT site which has even more self-service options and more knowledge base articles than ever before.
We started our journey by looking at IT Service Management as a way of ‘doing business’. That led to acquiring a special software tool that manages those processes. With myIT you can report an issue or request a service, view IT projects, and find answers to questions along with step-by-step how-to articles. You can view the status of your ticket requests, reply to tickets, view service outages and more.
In Hornet365, from the Students, Faculty, or Employees page, just click on the MY IT link. There is a robust search engine to look for services and knowledge. You can view the knowledge base articles and all the other information without logging in. If you want to submit a work order you will sign in using your university username and password. Once you have submitted a ticket, you will get a confirmation email, and when tickets are updated you will receive emails.
We are excited to bring you this new service and encourage you to explore all the parts of our new myIT!
Thursday, January 28, 2021
Data Privacy Day
First, some sobering facts: At least half of all adults in the USA have had their personal information exposed through hacking and data breaches. Most folks feel they have lost control over how personal information is collected and used by companies. Many have just given up trying to control this situation, but most want to do more to secure their personal information online.
So, for those that want to know more about how to protect their privacy online, here are a few tips:
Think before you act. Phishing scams depend upon you reactive impulsively to threats or emergencies. Any email requiring you to log into an account or click a link because of imminent danger should be re-read with a skeptical eye.
Be careful what you post. What you post on-line will live somewhere on the internet even if you ‘delete’ it. Many areas of society used social media posts as a form of character reference.
Be careful who you trust. Anyone on the internet can say anything. Don’t automatically assume that someone is who they say they are or that they can be trusted. This is especially true for social media and children. Predators love to use social media to become ‘friends’ with children and then prey on them.
Do a ‘security settings’ checkup. Every application we use online has a set of security and privacy settings. It will pay big dividends to learn about those settings and how to prevent unwanted sharing of information.
Get two steps ahead. 2-step verification or multi=factor authentication is absolutely the best defense against online account compromise. It uses something in addition to passwords to log into your account. If an online service provides the option to use 2-step verification, use it. It is usually easy to set up and gives you options that provide the best convenience for your situation.
The internet has revolutionized our lives in many ways, but it has also introduced many serious risks. Be smart about your on-line life and the internet will work for you instead of against you. Learn more at staysafeonline.org.
Your Information Security Team