Tag Archives: personal information

Office of Privacy and Data Protection

As Washington state lawmakers continue to emphasize state-wide information security and data privacy efforts within state government, an office called the Office of Privacy & Data Protection was created to provide information and advice related to privacy issues affecting the public.  The Governor also appointed Alex Alben as the state’s first Chief Privacy Officer.

Efforts by this new office and others, such as the state Office of Cybersecurity and the Office of the Chief Information Officer, illustrate how important it is for each of us as college officials to protect data entrusted to state agencies and institutions, such as Bellevue College.

It is also important to understand that these efforts related to privacy and security are not just part of the job of each state employee, they also reflect the protections each one of us also have a right to enjoy as private citizens.

Therefore, all well-informed college officials and residents of the state should benefit from reading the Privacy Guide published by the new state office and from periodically taking a look at the Tips and Tools page they have put online related to both public and private use of information technology.

If you have any questions or concerns about information security and the privacy of data on campus, please feel free to contact me (x4077) or the Technology Service Desk (x4351)

Safe Computing!

PRIVACY RELATED SITES

Holiday Season Security

The state of Washington Office of Cybersecurity has recently posted a good article related to information security and online shopping at http://cybersecurity.wa.gov/resources/security-tips/.  This is a good time of year for this kind of reminder as we all are taking advantage of the convenience and ease of shopping online.

It cannot be emphasized enough that we each must constantly take care with our private information, particularly financial information like bank accounts and credit cards, and particularly when using or accessing such information using mobile devices.

Don’t trust public computers or wireless networks (even the college’s public Wi-Fi network) to be secure enough for these kinds of transactions.  It is not difficult for a malicious actor to be able to intercept wireless signals as they pass between your phone and the most secure wireless access point, thus having access to obtain whatever information you type into your device.  This could include account numbers, user names, passwords and personal identification numbers (PIN).

Do your online shopping with a trusted wired connection as often as you can (not with public computers like in a library or college computer labs–you never know if the person using it before you compromised the machine).  If you must use a mobile device, like a phone or tablet, be certain to follow the OCS guidelines to make your shopping “trip” as uneventful as possible.

Safe Computing!

 

Seasonal Phishing

Did you know that Phishing has a season, just like real fishing?

Statistics show that during the year-end holiday period, malicious users are more successful with phishing attacks about holiday giving or shopping because they tailor their message to fit the hustle and bustle and activities of the season.

Here is a short videowhich reminds all of us not to let our guard down just because we are too busy or distracted to carefully scrutinize an e-mail advertises a sale or touches our heart.

Have a good holiday season, and Safe Computing!

Stop. Think. Connect

October is Cybersecurity Awareness Month, and in celebration, below are some links to the federal STOP.THINK.CONNECT organization’s tips & advice website and their general advice regarding online safety habits.

STOP.THINK.CONNECT is a good, lay-level website with lots of information and resources addressing some of the basic things that any of us can do, either at home or in the workplace, to help ourselves more securely use computers online.

These basic tips are available in multiple languages :

English, Spanish, Portuguese (Brazilian), Russian, French (Canadian),  and Japanese.

There are also safety tips for mobile devices.

Please take the time to review these basic tips and apply them both with your personal accounts to help prevent cyber-trouble for your cyber-self, and with your professional practices at work.

Other good sites related to your personal online accounts and internet use include:

https://www.lockdownyourlogin.com/

https://www.stopthinkconnect.org/campaigns/own-your-online-presence

https://www.stopthinkconnect.org/campaigns/keep-a-clean-machine-campaign

Safe Computing!

Think Purposefully, Act Knowledgably

A recent tweet by Microsoft (MS) referenced a long-standing free file-hosting website the company supports called DOCS.COM.  File-hosting websites are provided by online vendors (such as MS and Google) as a place where individuals may post personal electronic files and documents, often for the purpose of making them available to the general public.

The post on Twitter linked to a page on Microsoft’s website which included this information:


What is Docs.com?
Docs.com is an online showroom where you can collect and publish Word documents, Excel workbooks, PowerPoint and Office Mix presentations, OneNote notebooks, PDF files, and Sways. With Docs.com, it’s easy for you to share with others what interests you, and your content looks great on any device. 

Can I use my Office 365 account with Docs.com?
Yes. You can use your work or school account to use Docs.com, or you can choose to use a personal Microsoft account — an email address and password that you use to sign in to services like Sway, Outlook.com, Skype, OneDrive, and Xbox Live. If you prefer, you can also sign in to Docs.com with a Facebook account.


As indicated in the article, it appears as though MS has recently extended the permissions to log into and use this website intended for the storage of personal  files to the credentials used by those schools using Office 365 (O365).  Because we are an O365 customer, this means it is possible to use your Bellevue College (BC) login to post documents to DOCS.COM.

This is not necessarily an issue for students who wish to use DOCS.COM for personal documents to supplement the online storage and electronic document sharing capabilities provided by the college through Microsoft’s OneDrive.

However, DOCS.COM is NOT, and I want to repeat this, NOT an authorized location for the storage of any electronic college documents by BC employees, despite the fact that you can access it with college credentials.  The use of the website has not been deemed compliant with FERPA and other campus information security requirements.

It is becoming an increasingly challenging issue in higher education that college employees with access to data and information protected by law (such as FERPA and HIPAA) are copying some of that information to personal file-hosting websites (such as DropBox, Box, DOCS.COM, etc.) without regard as to whether that cloud storage resource meets the information security requirements for the data.  Sadly, many people don’t even take the security of the data into consideration at all; they simply copy it anywhere that makes it more convenient to work with.

It is of utmost importance that each of us think purposefully and act knowledgably  when it comes to the information or data we work with on a daily basis.  Always protecting electronic information is of the highest priority.

The only authorized cloud repository of protected electronic Bellevue College data at the time of this writing is a college-provided OneDrive space or SharePoint Online file storage space (being rolled out soon!), unless a specific exception has been authorized through a Data Sharing Agreement (I’ll discuss these more at a later time).

Despite these services being sanctioned repositories, it is still critical that individual users of these authorized resources are cognizant of how they are sharing or providing access for others to the electronic files and data stored in them.

If you are not certain whether you can share electronic college information with someone, or whether you can store it somewhere, check with your supervisor.  If they are not certain, you or they can contact the Technology Service Desk for assistance, or let me know.

Safe Computing!

Credential Stealing

One of the consistently best voices addressing cyber security issues worldwide is Bruce Schneier.  He is a cryptography expert and privacy advocate out of Harvard who has published many books, some of which are very technical in nature and intended for professional information security audiences .  But one of his great skills is that he also writes about important and timely privacy, trust and security topics in a manner that is accessible to most lay people.

Today I am bringing your attention to a recent article he wrote for the Xconomy web site which addresses the evolving nature of  computer attacks and the assumptions most people make that such attacks are merely technical or malware issues.

Turns out, the challenges in modern IT security are not so much about technology, but about people using the technology.  In fact, Schneier states that “…software vulnerabilities aren’t the most common attack vector: credential stealing is.”

The article quotes the head of the NSA’s Tailored Access Operations (TAO) group as saying “…stealing a valid credential and using it to access a network is easier, less risky, and ultimately more productive than using an existing vulnerability, even a zero-day…” ( essentially a software-based cyber attack using previously unknown tools or methods).

Schneier urges computing professionals to adapt to this changing environment, but the key piece of information within the article for most regular technology users is that they are more and more likely to be the initial target for malicious actors, who are using everything they can–including social engineering, phishing, physical and psychological manipulation, and outright threats–to gain legitimate credentials to target systems or networks, including home networks.

Using the kinds of techniques perfected by stereotypical con men and the hacker culture,  modern criminals are now hacking people more than they are hacking machines.  And once they have YOUR work or personal login credentials, they have the same access to everything you have access to within those environments.

So this article is a good reminder for each of us to think twice any time a person or a machine asks for personal or college information, or for home or work technology credentials.

Safe Computing!


The full Bruce Schneier essay can be accessed at: http://www.xconomy.com/boston/2016/04/20/credential-stealing-as-attack-vector/

If you are interested and wish to see more of Bruce’s writings, his personal blog web site is: https://www.schneier.com/.

(Sometimes his writings are too technical for me, but he has a very practical, realistic and common sense approach to many security and privacy issues, so it is worth checking his site out for the more generalized stuff that can help you can understand all of the issues about which he writes.)

Password Security

I haven’t had much time recently to write here a lot, but there is an interesting story related to a data breach in the public sector that I thought would merit a few moments today (here is a link to a Wall Street Journal article about it ).

The basis for the story is that a number of DropBox (a popular cloud file storage site) account passwords have been published by some hackers.  However, the security for the DropBox site itself has NOT been compromised in any way…

So what happened?

It seems that the hackers were able to get into another unidentified website’s user database, which stored account names and password credentials for that site, then went down that list of credentials at the DropBox site.  They were subsequently able to access a number of DropBox accounts.   This ability to use a password stolen from one site to access another site occurred because the users used the same login name and password for their DropBox account that they used on the website that was compromised!

Knowing it would be difficult to get through the high levels of security that DropBox has in place, the hackers simply went to the less secure site and reused against DropBox the information they acquired there.  It wouldn’t surprise me if they actually did this a number of places.  They could have tried accessing Google or Microsoft or Yahoo or any other site they wanted.  The security issue is actually the REUSE by users of the same user names and passwords on different websites.

This illustrates one of the primary purposes behind most malicious attacks: the acquiring of credentials.  If a person with bad intent has actual login access to any given website, it doesn’t matter how much security that site has against direct attacks or hacking.  The bad guys are already in.

Bottom line:  never give away your login name and password, and don’t reuse passwords across multiple websites.  That is the ideal.

However, because it is difficult for all of us to keep track of lots and lots of passwords and to always use a different one for every purpose, at least be aware of what you are trying to protect and think about how to use more secure passwords at sites you wish to better protect.

For instance, you absolutely shouldn’t use the same password for very public places like Facebook or Twitter that you use for very private places like your bank or credit union site.

This applies to campus, as well.  The password you use when handling sensitive or protected college information shouldn’t be the same password you are using to sign up for a Groupon newsletter or to access personalized content on CNN.

 

Free Stuff!!

Information Security part:

It is not uncommon for malicious parties to send out e-mail or other communications with the text “Free Stuff!!” as part of the subject line or emblazoned in bold letters across the top of the ad.  Often this lure of the possibility of getting something free is irresistible to we human beings.

This means we, as consumers of technology, need to be cautious whenever we see offers that seem too good to be true.  In one of my favorite childhood science fiction books, The Moon is a Harsh Mistress by Robert Heinlein, I learned to look carefully at free offers through the lens of the acronym TANSTAAFL.

“There Ain’t No Such Thing As A Free Lunch” means simply that there is often a hidden cost behind “free” offers, and that an intelligent person will be certain to look for that cost before jumping onto any “free” bandwagon.

Non-Information Security part (sort-of):

I’ve mentioned before that I would periodically include in this blog things outside the realm of information security if I found it interesting and worth sharing.  This is one of those times.

Microsoft yesterday announced that they are increasing in July the amount of storage space allocated to users of their OneDrive cloud file storage.  OneDrive allows users to access saved files through the internet from anywhere, using any computer or device (such as a smart phone or pad).

The amount of storage space available in the “free” (advertiser supported) version of OneDrive is increasing from 7 GB (gigabytes) to 15 GB.

Microsoft also offers paid OneDrive subscriptions, the first as a stand alone product for which they are charging $1.99 for 100 GB [previously $7.49] or $3.99 for 200 GB [previously $11.49] per month.

The second subscription version is associated with the various (and variously priced) versions of their online Office 365 product.  They have not changed the price of the monthly or annual Office 365 subscriptions, but are changing the amount of OneDrive space available to subscribers to 1 TB (terabytes; equivalent to about 1,000 GB).  This is a HUGE amount of personal storage space!

This offer, including it’s “free” version, may well be worth checking out if you are interested in personal cloud storage of your files.

Privacy Disclaimer

It is important to always keep in mind that in storing your personal files “in the cloud” –whether it is OneDrive or other free or paid offerings, like BOXDropBoxGoogle Drive, Amazon Cloud,  Apple’s iCloud, or any other company–those files are resting on servers controlled by whichever company is providing the service.

This means they are subject to disclosure either to certain company technical employees or through legal requests, to courts or law-enforcement officials.  Just as with files stored on college systems, they are not totally protected from disclosure in certain situations.

However, if you make an informed decision, weighing the benefit of using such personal file storage services against their hidden costs (such as lack of perfect privacy), they can be pretty useful, especially if you access files from multiple locations on multiple devices.

Sharing login information

Recent increases on campus of individual Bellevue College computer and/or network users sharing their account information with others, including their login name and/or password, has motivated this reminder to the campus regarding the seriousness with which such “sharing” is viewed. 

To make certain we are absolutely clear on its definition, in this context “sharing” includes not only giving someone your user name and password, it also includes logging into a computer and allowing another person to use that computer.  It does not matter whether the person might otherwise or eventually be authorized to use that computer, it is still prohibited.  

Login names and passwords

Account names and passwords are used on campus computers for two basic reasons:

  • First, they help secure the technology resources and provide computer and network access only to those who have been legally authorized. 
  • Second, they provide individual accountability for how those resources are used.

Two Bellevue College policies, Policy 5150: “Acceptable Use of  Networks and Systems” and Policy 5000: “Acceptable Use of Bellevue College Computers”, state that college computer and network users are specifically prohibited from allowing ANYONE to use a network account name or password assigned to them. 

In some circumstances, unauthorized access to or use of college computers may constitute a breach of security which triggers policy-based or legal requirements for the college to notify students and others (including the community as a whole) of a potential breach of their FERPA privacy rights or of their confidential and or sensitive protected information.

Potential for embarrassment

Not only is sharing account information against policy, it is simply one of the most risky behaviors a computer user can do.  Anyone with your account name and password can do anything they want on the computer or network/Internet and it will appear to have been done by you.  Imagine the embarrassment created by sharing your account information if the individual you shared it with uses it inappropriately: 

  • If they want to harass someone on line?  No problem, the authorities will come looking for you. 
  • Perhaps they want to download inappropriate materials?  The investigation will point back to you. 
  • Maybe they want to send an embarrassing e-mail to the college President or a Trustee.  Or anyone. No sweat; everyone will come looking for you.

These are just a few of the possibilities.  Certainly, in the majority of cases those individuals who are sharing your account information may do nothing inappropriate.  But all it takes is one irresponsible or malicious person and you become the focus of much unwanted attention.

Personal and confidential

Your login name and password are personalized credentials, just like your driver’s license—they represent you on-line at Bellevue College and to the wider Internet.  They are also a security tool, similar to car or house keys.  While most of us would never think it appropriate to hand someone else our driver’s license and car keys to use simply because they didn’t have their own, we often don’t give a second thought to sharing account information.

The sanctions for an individual sharing their account name and password, or by using someone else’s shared account information, are very serious.  They may include loss of computer privileges, denial of future access to college technology resources, or other disciplinary actions, up to and including dismissal from the college.

Please help Information Resources continue to keep the college networks and computers working as a viable business and educational tool by protecting your login account name and password and ensuring that you are the only one using those credentials. 

Individuals who are authorized college technology users can create their own login and password through the Net-ID website using their Systems ID number (SID), Personal ID number (PIN) and date of birth (DOB).  If you need assistance getting someone authorized to use Bellevue College technology resources, please feel free to contact the Help Desk by e-mail,  through Request Center, by phone (x4357), or to contact me.

Federal Trade Commission Scam Alerts site

Happy June!

Today’s information is short and sweet, and is about an important resource each computer user should have at their fingertips.

The Federal Trade Commission has a website intended to inform consumers about current scams, including computer spam scams (say that three times, real fast).  Of course, most things that may be identified as applying to consumers can be valuable in the workplace, as well.

So check out the information posted there, then bookmark the site both at home and here at work, and refer to it whenever you have questions or are just curious.  You can even sign up to get automatic alerts, if you wish.