Category Archives: Privacy

Office of Privacy and Data Protection

As Washington state lawmakers continue to emphasize state-wide information security and data privacy efforts within state government, an office called the Office of Privacy & Data Protection was created to provide information and advice related to privacy issues affecting the public.  The Governor also appointed Alex Alben as the state’s first Chief Privacy Officer.

Efforts by this new office and others, such as the state Office of Cybersecurity and the Office of the Chief Information Officer, illustrate how important it is for each of us as college officials to protect data entrusted to state agencies and institutions, such as Bellevue College.

It is also important to understand that these efforts related to privacy and security are not just part of the job of each state employee, they also reflect the protections each one of us also have a right to enjoy as private citizens.

Therefore, all well-informed college officials and residents of the state should benefit from reading the Privacy Guide published by the new state office and from periodically taking a look at the Tips and Tools page they have put online related to both public and private use of information technology.

If you have any questions or concerns about information security and the privacy of data on campus, please feel free to contact me (x4077) or the Technology Service Desk (x4351)

Safe Computing!

PRIVACY RELATED SITES

Holiday Season Security

The state of Washington Office of Cybersecurity has recently posted a good article related to information security and online shopping at http://cybersecurity.wa.gov/resources/security-tips/.  This is a good time of year for this kind of reminder as we all are taking advantage of the convenience and ease of shopping online.

It cannot be emphasized enough that we each must constantly take care with our private information, particularly financial information like bank accounts and credit cards, and particularly when using or accessing such information using mobile devices.

Don’t trust public computers or wireless networks (even the college’s public Wi-Fi network) to be secure enough for these kinds of transactions.  It is not difficult for a malicious actor to be able to intercept wireless signals as they pass between your phone and the most secure wireless access point, thus having access to obtain whatever information you type into your device.  This could include account numbers, user names, passwords and personal identification numbers (PIN).

Do your online shopping with a trusted wired connection as often as you can (not with public computers like in a library or college computer labs–you never know if the person using it before you compromised the machine).  If you must use a mobile device, like a phone or tablet, be certain to follow the OCS guidelines to make your shopping “trip” as uneventful as possible.

Safe Computing!

 

Lock Down Your Login

As October’s Cybersecurity Awareness Month continues, I thought I would refer once again to the federal Stop.Think.Connect information campaign and focus briefly on one particular topic currently being emphasized there.

Be careful and turn your speakers down before clicking on this link, as the page automatically plays a cutesy animated YouTube video, but the Lock Down Your Login page is a good introduction to what is known as Multi-Factor Authentication (MFA).   This site calls it “strong authentication.”

Once you as a user have been authorized to use a particular technology system, such as a banking website or your work computing network, authentication is the process of verifying your identity to that system so it can provide you the access needed.

Commonly, this is done by prompting a user to provide a login name and password, which in computing terms is considered “single-factor” authentication.

Multi-Factor Authentication is a mechanism through which a user is granted access only after more than one form of authentication is presented.  MFA may sometimes be referred to in the media or on websites as two-step authentication or two-factor authentication (2FA) , but technically 2FA is a subset of MFA.

One very common example of two-factor authentication is the use of a debit card (factor one-something you HAVE) and a PIN (factor two-something you KNOW) to withdraw money from an ATM.

Another example of MFA you may already experienced is the use of your thumb or finger print to unlock your cell phone.  In this case, the first factor (something you HAVE) is the phone, the second factor (something you KNOW) is the password you have previously saved on the phone, and a third factor (something you ARE) is the ability of the phone to read your thumbprint (also called biometrics).  If any of these factors are not available, you cannot access the information on the phone.

Most information security experts now recommend the use of MFA in all cases of authentication, particularly as more and more of our login information is being stored on servers all over the world and more and more of those servers are compromised.

For instance, commerce websites such as Amazon.com asks that you create a username and password (single-factor) to be able to use their service.  A compromise of that information on their servers by hackers or even company insiders could allow malicious users to pretend to be you and make purchases on your account without your knowledge.

The problem multiplies if you happen to employ the same password for different accounts on different systems.  Once one is compromised, all your accounts secured with a single-factor using the same password are potentially compromised.

If, however, if you have set up MFA with your Amazon account,  which allows you to receive a one-time random code via text message, automated phone call or third-party app (such as Google Authenticator or Microsoft Authenticator),  the malicious user cannot get into your account without using that code which only you have on your phone.  Even if they have somehow obtained both your username and password, they cannot login to the MFA protected account.

Other websites or networks now also use phone-based MFA, but there are also methods that are not phone-based, such as the use of security token generators or smart cards.

A few people think the extra step of obtaining and using a random code is too onerous to do every time you log into a particular account.  But this simple extra step increases the security of that account so significantly that most major online companies are preparing or already offering some sort of MFA for use with their accounts.  If that extra step prevents the use of your personal credentials even after a security breach, it is obviously worth it.

As someone who pays close attention to information security and the scary trending online threats and growing malicious practices, I choose to use MFA for my personal accounts whenever it is available, and use both phone text-based codes and app-based code generators.

The use of MFA is also growing quickly in the work place as institutions and business work to protect their internal technology resources, and is currently being tested here at Bellevue College for possible use with Office 365.

If you are worried about this, remember that a couple of decades ago our typewriters didn’t require a login at all, but after computers became ubiquitous, we learned how to function with usernames and passwords. Now it seems natural.

MFA will be the same kind of cultural revolution.   I think it is safe to predict that one day we will be using MFA for all of our accounts as another line of defense against malicious users, and won’t think twice about it.

Safe Computing!

State Office of CyberSecurity

The Washington State Office of Cyber Security (WA-OCS) was created in 2015 to help coordinate state-wide efforts to protect the electronic data and information held by state institutions and agencies (such as BC).

In addition to up-to-date advisory information for security professionals in state agencies, the website for WA-OCS also includes news articles, videos, security tips, lists of recent scams, and information about other resources that the general public may be interested in as they work to be safe online at home and protect their own and their family’s personal data.

As society continues to conduct more and more commerce and social interaction online and “in the cloud”–both professionally and personally–it can never hurt to be informed of the latest cybersecurity information.  So you may consider adding the WA-OCS website to your personal list of important information resources.

Safe Computing!

Stop. Think. Connect

October is Cybersecurity Awareness Month, and in celebration, below are some links to the federal STOP.THINK.CONNECT organization’s tips & advice website and their general advice regarding online safety habits.

STOP.THINK.CONNECT is a good, lay-level website with lots of information and resources addressing some of the basic things that any of us can do, either at home or in the workplace, to help ourselves more securely use computers online.

These basic tips are available in multiple languages :

English, Spanish, Portuguese (Brazilian), Russian, French (Canadian),  and Japanese.

There are also safety tips for mobile devices.

Please take the time to review these basic tips and apply them both with your personal accounts to help prevent cyber-trouble for your cyber-self, and with your professional practices at work.

Other good sites related to your personal online accounts and internet use include:

https://www.lockdownyourlogin.com/

https://www.stopthinkconnect.org/campaigns/own-your-online-presence

https://www.stopthinkconnect.org/campaigns/keep-a-clean-machine-campaign

Safe Computing!

Think Purposefully, Act Knowledgably

A recent tweet by Microsoft (MS) referenced a long-standing free file-hosting website the company supports called DOCS.COM.  File-hosting websites are provided by online vendors (such as MS and Google) as a place where individuals may post personal electronic files and documents, often for the purpose of making them available to the general public.

The post on Twitter linked to a page on Microsoft’s website which included this information:


What is Docs.com?
Docs.com is an online showroom where you can collect and publish Word documents, Excel workbooks, PowerPoint and Office Mix presentations, OneNote notebooks, PDF files, and Sways. With Docs.com, it’s easy for you to share with others what interests you, and your content looks great on any device. 

Can I use my Office 365 account with Docs.com?
Yes. You can use your work or school account to use Docs.com, or you can choose to use a personal Microsoft account — an email address and password that you use to sign in to services like Sway, Outlook.com, Skype, OneDrive, and Xbox Live. If you prefer, you can also sign in to Docs.com with a Facebook account.


As indicated in the article, it appears as though MS has recently extended the permissions to log into and use this website intended for the storage of personal  files to the credentials used by those schools using Office 365 (O365).  Because we are an O365 customer, this means it is possible to use your Bellevue College (BC) login to post documents to DOCS.COM.

This is not necessarily an issue for students who wish to use DOCS.COM for personal documents to supplement the online storage and electronic document sharing capabilities provided by the college through Microsoft’s OneDrive.

However, DOCS.COM is NOT, and I want to repeat this, NOT an authorized location for the storage of any electronic college documents by BC employees, despite the fact that you can access it with college credentials.  The use of the website has not been deemed compliant with FERPA and other campus information security requirements.

It is becoming an increasingly challenging issue in higher education that college employees with access to data and information protected by law (such as FERPA and HIPAA) are copying some of that information to personal file-hosting websites (such as DropBox, Box, DOCS.COM, etc.) without regard as to whether that cloud storage resource meets the information security requirements for the data.  Sadly, many people don’t even take the security of the data into consideration at all; they simply copy it anywhere that makes it more convenient to work with.

It is of utmost importance that each of us think purposefully and act knowledgably  when it comes to the information or data we work with on a daily basis.  Always protecting electronic information is of the highest priority.

The only authorized cloud repository of protected electronic Bellevue College data at the time of this writing is a college-provided OneDrive space or SharePoint Online file storage space (being rolled out soon!), unless a specific exception has been authorized through a Data Sharing Agreement (I’ll discuss these more at a later time).

Despite these services being sanctioned repositories, it is still critical that individual users of these authorized resources are cognizant of how they are sharing or providing access for others to the electronic files and data stored in them.

If you are not certain whether you can share electronic college information with someone, or whether you can store it somewhere, check with your supervisor.  If they are not certain, you or they can contact the Technology Service Desk for assistance, or let me know.

Safe Computing!

Security Information about Office 365

Many campus users have questions as college e-mail accounts are now stored in the cloud version of Exchange ( called Exchange Online) as part of our Office 365 deployment.

In addition to mitigating some of the costs incurred by the college to provide and support e-mail on campus, Exchange Online provides easier access to e-mail from off-campus, and provides additional layers of security and redundancy that have previously been cost-prohibitive for the college.

If you have any concerns about the privacy and/or security of Office 365, or would like more information, check out the Microsoft Office 365 Trust Center, or contact me with specific questions.

Password Security

I haven’t had much time recently to write here a lot, but there is an interesting story related to a data breach in the public sector that I thought would merit a few moments today (here is a link to a Wall Street Journal article about it ).

The basis for the story is that a number of DropBox (a popular cloud file storage site) account passwords have been published by some hackers.  However, the security for the DropBox site itself has NOT been compromised in any way…

So what happened?

It seems that the hackers were able to get into another unidentified website’s user database, which stored account names and password credentials for that site, then went down that list of credentials at the DropBox site.  They were subsequently able to access a number of DropBox accounts.   This ability to use a password stolen from one site to access another site occurred because the users used the same login name and password for their DropBox account that they used on the website that was compromised!

Knowing it would be difficult to get through the high levels of security that DropBox has in place, the hackers simply went to the less secure site and reused against DropBox the information they acquired there.  It wouldn’t surprise me if they actually did this a number of places.  They could have tried accessing Google or Microsoft or Yahoo or any other site they wanted.  The security issue is actually the REUSE by users of the same user names and passwords on different websites.

This illustrates one of the primary purposes behind most malicious attacks: the acquiring of credentials.  If a person with bad intent has actual login access to any given website, it doesn’t matter how much security that site has against direct attacks or hacking.  The bad guys are already in.

Bottom line:  never give away your login name and password, and don’t reuse passwords across multiple websites.  That is the ideal.

However, because it is difficult for all of us to keep track of lots and lots of passwords and to always use a different one for every purpose, at least be aware of what you are trying to protect and think about how to use more secure passwords at sites you wish to better protect.

For instance, you absolutely shouldn’t use the same password for very public places like Facebook or Twitter that you use for very private places like your bank or credit union site.

This applies to campus, as well.  The password you use when handling sensitive or protected college information shouldn’t be the same password you are using to sign up for a Groupon newsletter or to access personalized content on CNN.

 

Federal Trade Commission Scam Alerts site

Happy June!

Today’s information is short and sweet, and is about an important resource each computer user should have at their fingertips.

The Federal Trade Commission has a website intended to inform consumers about current scams, including computer spam scams (say that three times, real fast).  Of course, most things that may be identified as applying to consumers can be valuable in the workplace, as well.

So check out the information posted there, then bookmark the site both at home and here at work, and refer to it whenever you have questions or are just curious.  You can even sign up to get automatic alerts, if you wish.

 

EBay intrusion exposes personal information

Personal privacy issue

As stated on the home page for this blog, sometimes I will be writing about privacy issues, as they are intricately tied to many topics related to information security.  In fact, the whole basic idea of information security is to keep electronically-stored things private when they should stay private.

I will also sometimes talk about issues that may not be directly tied to information security at the workplace.  This is because personal security and privacy practices related to our non-work lives can have tenets  or lessons that can apply directly to our work security and privacy practices.  Today is an example.

Currently, there is a lot of news about an intrusion into the network systems holding personal and private information related to eBay customers .  Because of this breach, the company is recommending that all customers change their passwords.

In fact, the eBay passwords that may have been compromised are encrypted, which will be difficult for the hackers to break (but not impossible).  However, a significant aspect of this data security breach is that the exposed user accounts may have also included unencrypted personal information, such as names, addresses, etc.

This puts many of eBay’s customers at a high risk of increased attempts to social engineer, or trick,  them into providing even more  private personal information.

The importance of password security and the principles of social engineering are basic information security concepts every technology user should understand, whether you are applying them to your personal life, or to your work responsibilities.

If you are an eBay customer, or a customer of PayPal, which is also owned by eBay, you should at least take the recommended precautionary step of changing those passwords.  Making this change does not guarantee that your personal information held by the company is totally secure, but it is a good first step in the wake of this incident.