Friday, January 25, 2013 - 07:50

January 28th is known as Data Privacy Day.  This should be of interest because of the erosion of privacy online.  Every year, we see more data breaches affecting our personal data (e.g. SSNs, medical information, or passwords), and we see companies increase their efforts to take advantage of our online presence for advertising or building demographic data.  Earlier this month Facebook launched a new "feature" called Graph, which they termed a social search engine.  The concept is that Facebook will use data that you have associated in your Facebook account to build a database that can be searched.  Want to find bicyclers in your area?  No problem.  What about who liked a product?  Sure.  What about married people?  Getting a bit more creepy.  While Facebooks says they will honor privacy settings, at what point do they enable it for "private" data as well as the data you have made broadly available?

 

This is just one example in the ongoing debate over how much the Internet and social media have eroded our individual privacy...and if we really care that it has done so.  Does it really matter that anyone on the Internet knows what you bought on Amazon or where you live?  Or do you care that the picture of your late-night adventure is out there for potential employers to find?  As the line blurs between personal and public, these are questions that can only be answered on an individual basis, but it would certainly be good to have the tools necessary to protect our online identities.

 

As a part of Data Privacy Day, you can download a free version of lol...OMG.  The book is a great resource for parents (and students!) about online reputations, digital citizenship, and cyberbullying.  From the book description:

 

The ease with which digital content can be shared online, in addition to its many benefits, has created a host of problems for today’s high school students. All too often, students are uploading, updating, posting and publishing without giving a second thought to who might see their content or how it might be perceived. 

 

lol…OMG! provides a cautionary look at the many ways that today’s students are experiencing the unanticipated negative consequences of their digital decisions – from lost job opportunities and denied college and graduate school admissions to full-blown national scandals. It also examines how technology is allowing students to bully one another in new and disturbing ways, and why students are often crueler online than in person. By using real-life case studies and offering actionable strategies and best practices, this book empowers students to clean up and maintain a positive online presence, and to become responsible digital citizens.

 

If you are interested in another way to think about data privacy, check out Obscurity: A Better Way to Think About Your Data Than "Privacy" from the Atlantic.

 

 

 

Monday, January 14, 2013 - 15:13

Last week, security researchers announced that they had found a new security issue in Java that is currently being exploited by at least two crime groups, attempting to harvest identity and financial information.  The security issue, also known as a 0-day attack (because no patch existed for it), allows attackers to put code on websites that will execute on an unsuspecting user's computer should they visit that website.  Read on for details on patching Java and more importantly, removing Java from web-browsers.

 

Oracle has released a patch to update Java, and we strongly encourage our community to update their Java software as soon as possible.  However, there are concerns that the patch (as well as the continued issues with Java) does not completely protect end-users when browsing the web.  Therefore, we highly recommend disabling Java in your browser immediately.  Will this affect your web browing habits?  Chances are, probably not.  Less than .2% of all websites require java to be enabled in the browser.  And, disabling Java in your browser will not prevent you from running Java applications on your computer.  

 

Oracle has published instructions on how to disable Java, and here is a quick rundown from their instructions:

 

Internet Explorer
The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel
 
Chrome
  1. Click on the Chrome menu, and then select Settings.
  2. At the bottom of Settings window, click Show advanced settings
  3. Scroll down to the Privacy section and click on Content Settings.
  4. In the Content Settings panel, scroll down to the Plug-ins section.
  5. Under the Plug-ins section, click Disable individual plug-ins.
  6. In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
  7. Close and restart the browser to enable the changes.
  8. Note: Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.
 
Firefox
  1. Click on the Firefox tab and then select Add-ons
  2. In the Add-ons Manager window, select Plugins
  3. Click Java (TM) Platform plugin to select it
  4. Click Disable (if the button displays Enable then Java is already disabled)
 
Safari
  1. Choose Safari Preferences
  2. Choose the Security option
  3. Deselect Enable Java
  4. Close Safari Preferences window

 

 

 

Thursday, December 6, 2012 - 07:13

From guest blogger Mike Caudill.

 

More correctly stated, it is always the season to not be gullible.  This time of year is a big deal for retailers and charities.  For retailers, many of them will earn a significant portion of their yearly revenue in the months of November and December.  For charities, donors may rush to get those last minute donations in to take advantage of tax deductions for the current tax year.  In doing so, we are bombarded with messages on television, the radio, in print publications, and other means advertising shopping specials or sites to help those in need.  While many if not most of those sites are indeed legitimate, there are certainly those that are not legitimate.

 

I wanted to share with you a personal story that happened just this past weekend.  I had just come from the Christmas parade. People were taking pictures of all of the floats and of the parade participants.  Not long after the parade ended I received a text message on my cell phone.  The message stated, "Tina said forward this to you:" and was followed by a URL from bit.ly, a popular URL shortening service.  While I did not recognize the number, it certainly was possible that it was from some acquaintance's cell phone.  I also was not sure exactly who Tina was.  I do know some folks named Tina, but the message seemed strange.  Could it be that someone had sent me a picture from the parade?  Were they sending me something else?  Were they pointing me to a longer URL for some topic that I was interested in?

So, I checked it out.  But I did so SAFELY.  I did not go visit the URL directly from my cell phone or from my work laptop.  On another machine where I have the tools installed to investigate URLs I typed in the URL manually and visited the website.  "Tina" had wanted to point me at a site where I could get a FREE $1000 Target Gift Card.  All I had to do was to enter a code into the box and click submit while a countdown timer counted down from five minutes.  Anyone believe that any retailer is legitimately having someone named Tina send text messages to random cell phones and offer them $1000 gift cards?

 

When someone sends you a URL and you did not request them to do so, then be very careful about following them.  If something does not seem right then stop and do not proceed any further.  The example I gave is an example of a  attack involving SMS messages to a mobile phone attempting to scam a user called SMISHing. 

 

You may also have heard of the term phishing.  Phishing occurs via email.  While spam email is typically unsolicited and may advertise a product of some type, a phish is also unsolicited but may appear to be from a legitimate party and seeks to trick the recipient into a fraudulent transaction.  That transaction often involves tricking the user into divulging personal information, authentication credentials, or credit card information. The FBI and others have been trying to get the word out on this class of attacks.  They have published guidance available at the following URL:

 

http://www.fbi.gov/sandiego/press-releases/2012/cyber-scammers-target-ho...

 

I started this blog entry with the text "'Tis the season not to be gullible".  The FBI guidance even warns "In advance of the holiday season...".  However, phishing and smishing are not limited to just holidays and their celebrations.  Those attacks take advantage of curiosity, current events, and emotional reactions and can occur any time of the year.  They want to pull you into their trap.  They may leverage current events like natural disasters, sports events, charitable causes or current news to convince you to follow their lead into a trap and they will take the steps necessary to make it believable.

 

Duke recently appeared in the press that we were implementing Office 365 for our institutional email service.  Microsoft even issued a press release on it:

 

http://www.microsoft.com/en-us/news/Press/2012/Oct12/10-19OfficeHIPAAPR....

 

The result?  We have seen a noticeable increase in phishing attempts.  One recent example tried to convince the recipient that they were about to exceed their email storage quota and needed to upgrade their account by clicking a link.  After their information had been verified their account would remain active.  Another informed the user that the Duke University system and calendar services had been updated and they needed to visit the updated URL for information and instructions on how to access your email.  These emails are well crafted and the sites that you are directed to are often made to look like a Duke site.  They may have copied Duke logos and insignias, copied page headers or page styles, and utilized Duke colors or anything else that would make the illegitimate fake site appear to be legitimate and believable. 

 

It is even possible that you could see more targeted attacks where the website domain name may appear to be a Duke site.  Take for example a URL containing a domain name like www.du.ke, or www.duke.org, or www.duke.us?  Do those belong to Duke University?  The answer is no.  While Duke University owns several domain names, you should familiarize yourself with the ones you use most often and pay close attention in the event that sites attempt to utilize domains that might be believable.

 

So what should you do?  How can you protect both your private online accounts and your work accounts here at Duke?  Follow the advice in the fbi.gov URL above.  Do not click on links from unsolicited email.  Hover your mouse pointer over the links in the email and compare the actual link with the text of the link contained in the email.  If it does not point to a URL within Duke or the institution in question, then think twice before clicking it and before providing any information to the remote site.  If in doubt, question the legitimacy of the email and contact the institution via other means to verify the validity of the mail. 

 

Many scammers depend on an unsuspecting victim.  The way to make yourself safer is think before you act so that you can make sure that you do not fall prey to them.

 

 

 

Pages