Announcements

30 Oct, '13—2:11 pm

Apple has just made its new operating system, Mavericks, available as a free download. If you're eager to upgrade your Mac laptop or desktop, we recommend waiting for about a week so CIS can test compatibility with Brown's services. Mavericks is not yet supported by CIS. Next week, we will send another Morning Mail listing Brown services and their compatibility with Mavericks.

22 Oct, '13—3:13 pm

Please join us as Art Salomon shares his award winning Biology course in the first of the Academic Technology Showcase series luncheons. His latest string of technology usages includes: monitoring the test taking environment, Lecture Capture, a YouTube Channel, an in class discussion channel, a facebook group, and to top it off, an amazing exam turn around time.

22 Oct, '13—3:12 pm

On October 15th, Ada Lovelace day, Brown is hosting a wiki edit-a-thon to increase the amount of information about women in science on Wikipedia. Find out more, including how to get involved, at the links below. The event is co-sponsored by Wikimedia New England, Brown's Program in Science and Technology Studies, the Pembroke Center, and the Brown Science Center.

Related Links:

11 Oct, '13—9:48 am

Brown faculty, staff, and graduate students can now install the latest version of Endnote, which no longer requires KeyAccess or a VPN connection when off-campus. Download EndNote X7 from the Software Catalog

New to EndNote? Their website has a comprehensive library of video tutorials to help you learn the software. For basic installation help, contact the IT Service Center.

3 Oct, '13—1:40 pm

A few people have noticed the RSS links on the top of our Announcements and Alerts pages and asked what RSS is and how to subscribe to it. RSS (which stands for "Really Simple Syndication") is a standard way to format dated content such as blog posts or newspaper articles. It's helpful to format these in a standard way so they can be understood by other applications such as a news reader phone app.

For example, let's say you are really interested in learning how to cook, and you find 20 fantastic food blogs and 5 newspaper recipe pages. You could bookmark all 25 of these websites and visit them every day to see if something's new, but that would be a lot of work! Instead, you could use a feed reader to display all the new content in one place. You can open a single app or website and see what's new.

If this sounds exciting, you might be wondering what feed reader to use. That's a matter of preference, and we don't recommend or support a specific product at Brown. It depends whether you want to read on a computer or a smartphone, and if there are other features you're looking for like social networking integration or slick design. Here are a few favorites:

For example, if you wanted to subscribe to our IT at Brown alerts, you would right-click (PC) or control-click (Mac) on the RSS link at the top of the Alerts page and copy the link address.

Next, you would open your preferred RSS reader and paste the link wherever you are able to add feeds. Here's what it looks like in Feedly:

3 Oct, '13—1:39 pm

New Requirements for Access to E-reserves on OCRA 
Due to a change in the Library’s OCRA (Online Course Reserves) system on September 10th, the way instructors and their delegates manage reserves has changed. After logging in with their own Brown username:

  • Instructors will see a link to "Manage My Reserves" at which they can add delegates.
  • Delegates will see a link or multiple links to "Manage Reserves for [instructor's name]".  

If you experience problems logging in, or with any other aspect of the system, please email jean_rainwater@brown.edu or birkin_diana@brown.edu

Requirements for Accessing OCRA Online Movies 
In order to access OCRA Online Movies, your computer must meet the following requirements. This applies whether you are accessing your OCRA course reserves through Canvas or through the Library Reserves site.

  • Network Connection: Online Movies are available only on the campus network, either over Brown-Secure, Ethernet, or from a computing lab. To watch movies from off campus, you will need to connect using VPN
  • Java: Make sure your Java is up to date. You can run the test by visiting: http://java.com/en/download/installed.jsp.
  • On a Mac: Use Firefox or Safari - your movies will not play in Chrome.
  • On a PC: Use Windows 7 or earlier with Chrome, Internet Explorer, or Firefox. Windows 8 does not work with this service, so if you have Windows 8 you will need to view the movie in a computing lab

For issues viewing Online Movies, contact the IT Service Center

27 Sep, '13—4:29 pm

Do you like spam?  Of course I’m talking about unsolicited bulk mail, and not the canned food.  That could be a whole other message, which perhaps I’ll address in a future memo. I have a feeling that no one answered yes to my question. No one likes electronic spam, and yet we need to learn to live with it, as it will continue to direct itself to our in-boxes.

Did you know that most of the email around the world is actually spam?  While there have been periods where the percentage was consistently over 90%, recent years have the numbers between 85-90%, thanks to the more rapid shutting down of botnets, which are responsible for most of the spam traffic.  Brown is not immune to this phenomenon, as these same percentages are seen in messages coming to the Brown domain.

The good news is that a high percentage of them never reach your email box, and many of those that do are stilled identified as spam and sent to the spam folder.  I’m sure we all agree that we would not want to sift through that many messages to find the real mail in our box.  Compare yourself to Bill Gates, who receives approximately four million messages per year. Imagine going through all those messages each day to find the 1,000 legitimate ones if spam filters did not work!

Spam is not only a nuisance, but it can be malicious in nature, especially if it is also a phishing email.  Brown has recently been the victim a several phishing attacks, through which some of our community have fallen victim.  Not only does this place the victim’s personal information at risk, but it also propogates the phishing scam deeper throughout our community via the person’s contact list.  The Information Security Group and the CIS Help Desk work quickly in indentifying the compromised account, and aid the victim in stopping the attack.  This is all part of our mission here at Brown.  Still, we wish to get to the point where no one in the Brown community falls for a phishing scam.  You can learn tips to help you spot a phish by visiting the ISG Phishing Primer here.

As this is October, and once again Brown is participating in National Cyber Security Awareness Month, we will also be hosting a brown bag on 10/10/13 entitled “Don’t Get Caught…by a Phishing Phony”.  Learn about this, and all of the activities of the month at www.brown.edu/go/cybersecurity.

As always, I welcome your comments and feedback.  Please feel free to reach out to me directly at david_sherry@brown.edu, or the group at ISG@brown.edu.  Let me know how we are doing, areas of concern you may have, or questions on protecting your identity or personal computing security.  And remember, sec_rity is not complete without U!

27 Sep, '13—4:15 pm

When you're sitting on top, you have a great view of others. The downside is, you're now easy to spot and make a better and more tempting target.

As Android's popularity has risen*, so has its attractiveness to hackers. This is akin to underdog Firefox becoming the favored alternative to Internet Explorer when the latter was under seige, and then the hackers turning their sights on the more visible Firefox.

So the bad news for users of Android is that it's now under attack. One way you could be affected is by downloading rogue apps from third-party websites, such as recounted in the August 13, 2013 story New Android malware is being distributed through mobile ad networks.

The good news is, if you read the article closely, you'll notice that the mobile ad networks it mentions are more common in areas where mobile devices can't access the official Google Play store or users have difficulties in purchasing applications in a legitimate manner. According to Antone Gonsalves in his September 27, 2013 article Become a hacker. Coding experience not needed., this is generally in places like "Asia, Eastern Europe and Russia (where) infection rates for Android smartphones are higher because people regularly download apps from sketchy sites. In the U.S., the vast majority of people use Google Play, so the chance of infection is minuscule."

So even though you Android users might breathe a little easier seeing this, note the importance of using Google Play as your marketplace for apps.  Since a few bad ones slip through occasionally, it's also a good practice to read the apps reviews and download statistics before clicking that install button.

And for a nice rundown of Android antivirus software, see Darlene Storm's article Mobile malware madness: Favorite target? Android. Here's 3 free security apps. It paints a less rosy picture, but then it is from the point of view of AV vendors.  Still some good advice at zero cost to you.

In summary, nothing is safe 100% of the time but you can take some precautions to protect yourself: download only legitimate apps, run an antivirus program, and use your common sense.  It something appears a bit iffy, steer clear.

* According to a survey from the Pew Internet & American Life Project, in May 2013, Android lead iOS by 3 percentage points (28% of mobile phone owners' smartphones were Android, 25% running iOS). Read more about smartphone trends at US Smartphone OS Race Still Close, as Men, Younger Users Favor Android.

27 Sep, '13—4:14 pm

As of October 3rd, the Information Security Group will be located on Brown's main campus in the 169 Angell building, accessed from the entrance on Angell, opposite the Brown Bookstore/Bank of America entrance. Offices are on the second floor in some of the space formerly occupied by the Help Desk (which is now situated in the new Service Center in CIT 101).

Besides performing information security consults on-site, ISG also has a hard drive crusher used for crushing no-longer needed drives containing data covered under the Brown Restricted Information Policy. If you have any that fit that description, or others that you simply desire to destroy, please contact us at ISG@brown.edu to arrange an appointment.

27 Sep, '13—4:12 pm

The following article appeared in the August 2013 issue of  OUCH! magazine and was written by James Tarala. More details about this author and OUCH appear at the end of this article.

Who Are You?

The process of proving who you are (called authentication) is a key step to protecting your online information. You want to be sure only you have access to your private information, so you need a secure method to prove who you are, such as when you check email, purchase something online or access your bank accounts. You can prove who you are in three different ways: what you know, such as a password, what you have, such as your passport, and who you are, such as your fingerprint. Each one of these methods has its advantages and disadvantages. The most common authentication method is using what you know: passwords.

Passwords

You most likely use passwords almost every day in your life. The purpose of a password is to prove you are who you say you are. This would be an example of something you know. The danger with passwords is that if someone else can guess or gain access to your password, they can then pretend to be you and access all of the information that is secured by it. This is why you are taught steps to protect your password, such as using strong passwords that are hard for attackers to guess. The problem with passwords is they are quickly becoming dated. With newer technologies it is becoming easier for cyber attackers to forcibly test and eventually guess passwords or harvest them with technologies such as keystroke loggers. A simpler yet more secure solution is needed for strong authentication. Fortunately, such an option is becoming more common -- something called two-step verification. To protect yourself, we highly recommend you use this option whenever possible.

Two-Step Verification

Two-step verification (sometimes called two-factor authentication) is a more secure way to prove your identity. Instead of requiring just one step for authentication, such as passwords (which is something you know), it requires two steps. Your ATM card is an example. When you withdraw money from an ATM machine, you are actually using a form of two-step verification. To prove who you are when accessing your money, you need two things: the ATM card (something you have) and the PIN number (something you know). If you lose your ATM card your money is still safe; anyone who finds your card cannot withdraw your money as they do not know your PIN (unless you wrote your PIN on your card, which is a bad idea). The same is true if they only have your PIN and not the card. An attacker must have both to compromise your ATM account. This is what makes two-step verification so much more secure: you have two layers of security.

Using Two-Step Verification

One of the leaders in online two-step verification is Google. With a variety of free online services such as Gmail, Google needed to provide a stronger authentication solution for its millions of users. As such Google rolled out two-step verification for most of its online services. Not only is Google’s two-step verification a free service any Google user can sign-up for, but other online providers are using similar technology for their services, such as Dropbox, Facebook, LinkedIn and Twitter. By understanding how Google’s two-step verification works, you will understand how many other online two-step verification services work.

Google’s two-step verification works as follows. First, you will need your username and password, just as before. That is the first factor, something you know. However, Google then requires a second factor, something you have -- specifically, your smartphone. There are two different ways you can use your smartphone as part of the log in process. The first is to register your phone number with Google. When you attempt to authenticate with yourusername and password, Google will SMS a new, unique code to your smartphone. You then have to enter this number when you log in. The other option is to install Google authentication software on your smartphone. The software then generates a unique code for you. The advantage with this second approach is that you do not need to be connected to a service provider, as your phone generates your code for you.

Two-step verification is usually not enabled by default; it is something you will have to enable yourself. In addition, most mobile apps are not yet compatible with two-step verification. For most mobile apps you will need to use application-specific passwords, which you can generate once you enable two-step verification. Finally, you may have the option of creating recovery keys in case you lose your smartphone. We recommend you print those out and store them in a safe, locked location.

We highly recommend you use two-step verification whenever possible, especially for critical services such as email or file storage. Two-step verification goes much further to protect your information, as criminals have to work much harder to try and compromise your accounts.

Resources

Where you can use two-step verification:
http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two+factor-authentication-right-now
Google Two-Step Verification: http://www.google.com/landing/2step/
Common Security Terms: http://www.securingthehuman.org/resources/security-terms
SANS Security Tip of the Day: https://www.sans.org/tip_of_the_day.phpTwo

Guest Editor

James Tarala is a speaker, author and senior instructor with the SANS Institute. He is a principal consultant at Enclave Security and a contributor to the Critical Security Controls and AuditScripts.com. You can follow James on Twitter @isaudit or meet him in person at one of his upcoming courses.

OUCH! August 2013 issue:  http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201308_en.pdf
OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 3.0 license.