Category Archives: Infosec Communicator

  • 0

Higher Ed, Where’s the Mobile Content?

Category:Higher Education,Infosec Communicator,mobile device,Uncategorized Tags : 

In general, the pace of change far exceeds the ability of any large organization to adapt and adopt, be it a professional organization, an educational institution, or many companies. Mobile content is a good example. Although we’ve know that the rate of adoption is high, in a recent Chronicle of Higher Education Wired blog posting,  Kelly Truong stated that a research study at Ball State University found that about 90% of students were using their smartphones to access the internet.

At the Rochester Institute of Technology, we’re seeing some movement towards providing mobile content, including online coursework. The E. Philip Saunders College of Business has also designed a smartphone app for their students.

Do you use a smartphone to access the internet? Are you happy with the experience? Are any of your companies/colleges, etc. designing web pages for mobile users? Are you designing coursework for mobile users? Developing any corporate apps for iPhone, Android, Blackberry, etc.?

Enhanced by Zemanta

  • 1

Best Security Awareness Videos for College Students

Category:Facebook,Information Security,Infosec Communicator,Internet Safety,Social Networking,Uncategorized Tags : 

Each fall, the RIT Information Security Office provides a Digital Self Defense orientation to first year students. The session helps the students understand the information security threats they will face. We also communicate their responsibility for keeping themselves and others safe online. As you might imagine, keeping the attention of these students midway through their orientation week can be challenging. To help hold their interest, we use a number of security awareness videos in our presentation.

The list of videos below includes an amateur and professional videos and student-created entries in the EDUCAUSE Annual Security Video contest.

Video resources

Facebook Stalker
https://www.youtube.com/watch?v=wCh9bmg0zGg

The Onion: Facebook, Twitter Revolutionizing How Parents Stalk their College-Aged Kids https://www.theonion.com/video/facebook-twitter-revolutionizing-how-parents-stalk,14364/

Weird “Al” Yankovic Virus Alert
https://www.youtube.com/watch?v=zvfD5rnkTws

Identity Theft for Criminals student video
https://www.youtube.com/watch?v=agmHVBJL_fk

Check out the EDUCAUSE Video Contest Page on Facebook for more videos.

If you know of other good security awareness videos, please add a comment!

src=”https://media.theonion.com/flash/video/embedded_player.swf” type=”application/x-shockwave-flash” allowScriptAccess=”always” allowFullScreen=”true” wmode=”transparent” width=”480″ height=”430″ flashvars=”videoid=14364″>
Facebook, Twitter Revolutionizing How Parents Stalk Their College-Aged Kids

  • 3

Is “Secure Mobile” an Oxymoron?

Category:Information Security,Infosec Communicator,mobile device,Risk Tags : 

If you haven’t noticed, mobile device use is pretty much ubiquitous. Apple iPhone/iPod/iPad, Windows Mobile, Palm, Google Android, Blackberry–all of these device families have their own Operating Systems that could be exploited by an attacker.  Yet, we’re seeing more and more mobile device use in business settings.

SMobile published a white paper yesterday (6/22), Threat Analysis of the Android Market,  about the ~20% of apps available from the Google Android Market that are granted permissions to potentially exploitable features/information when they’re installed. As they point out, it’s pretty easy for an attacker to encourage a potential target to install a seemingly innocent application when that application is available from the Google Market and was never vetted for security issues.

Another big issue is how easy it is to lose a mobile device. If the device is not encrypted, any confidential or private information you’ve placed on the device is at risk. If you’ve cached login credentials to your institution’s network, an attacker has easy access.

We’re working on developing mobile device security guidelines for use in accessing our university data. Because almost all devices are individually-owned and pose their own unique security risks, it’s hard to develop a one-size-fits-all policy. We’re looking at both general and device-specific guidelines.

I’ve included a preliminary draft below, parts of it based on materials developed by EDUCAUSE member institutions.  What would you add or subtract? Is it a good approach?

General Guidelines for Mobile Device Use

  • Configure mobile devices securely. Depending on the specific device, you may be able to:
    • Enable auto-lock. (This may correspond to your screen timeout setting.)
    • Enable password protection.
      • Use a reasonably complex password where possible.
      • Avoid using auto-complete features that remember user names or passwords.
      • You may want to use a password safe application where available.
    • Ensure that browser security settings are configured appropriately.
    • Enable remote wipe options.
      • If you’re connecting to the university email with ActiveSync for email and calendaring, you may be able to wipe the email and calendaring information from your device remotely.
      • Third party applications may also provide the ability to remotely wipe the device.
    • Ensure that SSL protection is enabled.
  • For improved performance and security, register your device and connect to the university WPA2 network where available.
  • Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
  • Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  • Install an antivirus/security program and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
  • Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.
  • Take appropriate physical security measures to prevent theft of mobile devices.
    • Never leave your mobile device unattended.
    • Report lost or stolen devices and change any passwords immediately.
    • Include contact information with the device.
      • On the lock screen (if possible). For example, “If found, please call 585-475-HELP.”
      • Engraved on the device.
      • Inserted into the case.
  • Know your mobile vendor’s policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
  • Use appropriate sanitization and disposal procedures for mobile devices.
Enhanced by Zemanta

  • 0

Are location services on mobile devices a good thing?

Category:Cyberstalking,Facebook,Infosec Communicator,Internet Safety,Social Networking Tags : 

I’ve always had mixed feelings about the location services (such as Google Latitude) offered by various mobile devices and by social networking sites. For example, is it a good thing to let people know where you are when you’re tweeting?

When we talk to the incoming first year class at RIT each fall, we talk about the potential danger of cyberstalking, illustrating it humorously through the Facebook Stalker YouTube video. We don’t try to over dramatize the danger, but we do want students to be aware of the possibility. (We also discourage placing phone numbers and addresses in Facebook and other social networking profiles.)

We saw some evidence of cyberstalking with our daughter in high school. She would post info about where she would be and one person showed up there consistently.

Are we overreacting to the potential danger? On a risk map, I would rate cyberstalking as a low-probability high-impact risk. Is cyberstalking something you worry about? Do any of you use these “location services” on your mobile devices or Tweet with your location? Why or why not?

Ben


  • 1

Choosing the Safest Browser

Category:Information Security,Infosec Communicator,Internet Safety,Uncategorized Tags : 

There’s always discussion among techies about which internet browser is better. Most of them end up bashing Internet Explorer. Does it really matter which browser you use?

Maybe, but not for the reasons you might think. Here’s a list of the five most common browsers, in no particular order:

  • Opera
  • Firefox
  • Safari
  • Internet Explorer
  • Google Chrome

Which of these browsers is the safest? The one with the fewest number of reported vulnerabilities? I asked my Cyber Self Defense class last quarter to guess which browser had the most vulnerabilities.

Here’s the order they came up with:

  1. Internet Explorer
  2. Safari
  3. Opera
  4. Firefox
  5. Chrome

According to the  Symantec 2008 Internet Threat Report, here’s the list of browsers ranked from most reported vulnerabilities to the least:

  1. Firefox
  2. Internet Explorer
  3. Safari
  4. Opera
  5. Chrome

Is this the order you expected? Did you think that Internet Explorer would have the highest number? If we go strictly by number of vulnerabilities reported, Google Chrome would be the safest browser to use and Firefox the worst.

Another way to look at browser safety is how long it takes for a reported vulnerability to be fixed. How would you rank these same five browsers from shortest to longest patch time?

Again, the class assumed the worst browser would be Internet Explorer. However, Safari had an average “exposure” time of nine days, compared to the “best,” Firefox, which normally took only one day to patch.

Internet Explorer is attacked the most. Why? Because it’s used by the most people and provides a higher ROI for cyber criminals. Because it’s attacked the most, it MAY be safer to use a different browser. However,  safer Internet browsing has as much to do with safe practice as it does browser choice. If you browse unsafe sites, you’re more likely to be attacked.

Here’s what we’re telling students, faculty, and staff at the Rochester Institute of Technology about safer internet browsing.

Browser Security

How can you tell how secure your web browser may be? Scanit’s Browser Security Test checks your browser security settings and provides a report explaining the vulnerabilities, the potential impacts, and how to correct them.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

 

Anti-Phishing Tools

Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing.

The Netcraft Toolbar is a browser plug-in available for Internet Explorer and Firefox. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.

The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. The Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.

 

Limited Account Privileges

Limiting account privileges provides simple but effective protection when working online. Limited accounts allow you to do most daily activities but do not allow you to install software (only accounts with administrative privileges can install software on the computer).

Many attacks take advantage of administrative privileges to install malware on your computer. If you’re using a limited account, attackers and malicious websites will not be able to install malware. (This is less of an issue with Windows 7 and Mac OS X because they ask you to confirm software changes.)

Ben

Postscript: I’ve included links below to my 6/30/11 posts updating this article.

Enhanced by Zemanta

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2,235 other subscribers

Categories

Support Introverted Leadership on Patreon

Blubrry affiliate banner