Tag Archives: security

Information Security Awareness Week 2-6 October

Information Security Awareness Week 2-6 October 2017

The week will focus on why information matters to all University staff and students, the threats that we all face as users, and how you can take some very simple steps to quickly protect your personal data and research content.

We will also be active on Twitter during the week, with hints, tips and useful guidance. Follow us on Twitter at http://www.twitter.com/UoEInfoSec and with #UoEInfoSec.

Further information will be posted on http://www.ed.ac.uk/infosec and Twitter as we announce it.

 

Information Security Week

treat-treasureInformation Security Week 3-7 October 2016

The week will focus on why information matters to all University staff and students, and how you can take some very simple steps to quickly protect your personal data and research content.

The main event on the afternoon of 5 October will see invited internal and external speakers present and discuss some of the issues. These will be very accessible and are aimed at all audiences, regardless of technical abilities. Bookings are now open via the following event channel: https://www.events.ed.ac.uk/index.cfm?event=book&scheduleID=21717

Twitter:  http://www.twitter.com/UoEInfoSec

Website: http://www.ed.ac.uk/infosec

 

Security – Email

socialmediaIt happens all the time and another large company has just announced that they had a data breach – Yahoo!

What can you do?

  • Change your password
  • Use a unique password
  • Check your account for any unusual activity
  • Ensure your pc is up to date with software and operating systems (including an anti-virus package)

Further information about the Yahoo hack can be found at:

Information Security Awareness Week

Edinburgh University Information Security Awareness Week:
quoteMonday 26th October to Friday 30th 2015.

The awareness week is intended to promote four themes, and to encourage you all to take the Information Security Essentials training course.

During this week there will be information security advice clinics, opening on various University campuses.

Further information can be found: http://www.ed.ac.uk/information-services/computing/desktop-personal/information-security/information-security-awareness-week

Find out about managing your digital footprint at  www.ed.ac.uk/iad/digitalfootprint

Beyond Passwords (Stay Safe Online: Part 3)

Welcome back to the third part of our series on securing your social media and online accounts! This week, we’re going to look at how you can improve your security by using more than just passwords on online accounts. The great thing about passwords is that if you’ve been following our guides, you’ve got passwords that are easy for you (or your computer) to remember yet very hard for anybody else to guess. However, when computers are so powerful they can test millions of passwords every second, it is very quickly putting the security of any password under strain. A new type of security has emerged however, and it is called “two-factor authentication”. This relies on both something you know such as a password, and something you have such as your smartphone. You will enter your username and password, and then be asked for a code from your phone which it either randomly made or was texted to you. Only once you enter that will you be allowed access. The security is fantastic – assuming that there aren’t any weaknesses in the software running on their websites, a computer could test every possible password yet still not get into an account. And if an unauthorised party takes your phone, they still need to have your password.

How does it work?

Every website that uses 2FA (short for two-factor authentication) will have slight variations on how their version works. However, most follow this basic pattern:

  1. Register your account with them
  2. Download an app onto your phone (one app works for most websites)
  3. Go onto your account settings. There will be an option to set up 2FA. Go through the process. You will be asked to enter a code or scan a QR code on your phone. Your phone will then give back a code, enter that into the website to confirm it
  4. When you next logon to the website, you’ll be asked for a code from the app in addition to the username and password before you can login

As you can see it is simple. However, some websites will instead text you a code rather than use an app. Most websites use an app called Google Authenticator (https://support.google.com/accounts/answer/1066447?hl=en) but if you are on another platform you may have to find an alternative app. Some websites also use other apps – they will tell you how to get them.

What websites can I use this on?

Good question! As the list changes all the time, you should check this website (https://twofactorauth.org). This website will also tell you how to enable it for each service that supports it.

What websites should I use this on?

As many as you can be bothered to is the honest answer! However, start with the services which are most crucial and work backwards. That may mean online banking for you (contact your bank to see what they offer). Then right after, securing your email to prevent anyone from accessing all your other services as discussed earlier. If you have a Google, Microsoft or Apple account these may have lots of sensitive information saved (such as payment details) in addition to your email – they may even allow a hacker to remotely lock and wipe your devices. These accounts should definitely be a priority if you use them a lot. In general though, think about which accounts would be the worst to get hacked and start with them.

What if I lose my phone?

When you sign up for 2FA, most sites offer you a recovery key which YOU SHOULD KEEP SAFE!!! If you lose that, you may NEVER be able to get access to your account again if you lose your phone. This does depend on the service you use, but do ask them or research to see what would happen. You do get services that back up your authentication codes, such as Authy (https://www.authy.com), and can share them between devices. This does decrease security, but increases convenience and for many may be a good compromise. However, do your own research for this!

Are there any other problems?

If you lose your phone you may never be able to login to something again. If your phone is out of charge or not on you, you may also not be able to login at that time. It will also make your day to day online life ever so slightly more inconvenient. It is up to you to decide if those are worth the very big improvements in security. As we store more and more of our important data online and those wanting to break into online services get ever more sophisticated, this may be something you want to consider using more and more.

Managing Those Passwords! (Stay Safe Online – Part 2)

In the last post, we looked at why and how to set secure passwords for online accounts. We even included tips on how to create easy to remember passwords! If you’ll remember however, one of our primary rules was to keep a separate password for every online service. That gets confusing really quickly! With the help of some software called Password Managers, you’ll find that setting new passwords for everything is easier than just remembering a few passwords for everything!

  • What is a password manager?

A password manager simply stores passwords for you, with most entering the password when you go onto a website. If you’ve ever been asked by your web browser if you want to save a password (Internet Explorer, Chrome, Firefox and Safari just to name the 4 largest browsers all offer this as do many others) then you’ve encountered a password manager before. Password managers should securely save your password, either using it’s own password to encrypt the other ones or unlocking when you log into your computer. The simplest ones  store them on your computer, so it shouldn’t create any more security problems to use one. The best thing about many password managers is that they can automatically make you a new password when you register a new account or change your password, then save it! This obviously saves you a lot of time.

  • What if I have more than one device?

Good question! Today, most people will have a ‘main’ computer such as a laptop, their smartphone, the university PCs and possibly a tablet or another secondary device. There are ways to keep your passwords saved across all of these though. Some password managers save your passwords online in the cloud, which means they can be accessed anywhere with an internet connection. You may be worrying about security, and you’d be right to do so, but as long as you understand the risks and keep your password for any sort of program secure it should not be a problem. Do keep in mind though, if the service does get hacked so do all of your passwords and you will need to change them ASAP!

  • What services do you recommend?

We don’t ‘recommend’ any service in particular, however the website Lifehacker has compiled a list of the Five Best Password Managers (http://lifehacker.com/5529133/five-best-password-managers) in January 2015, and would be a great place to look as they were voted for by the readers of Lifehacker! Most of the services listed though do cost money or require some more complicated set-up. However, if you use Apple’s products you might want to consider iCloud Keychain (https://support.apple.com/en-gb/HT204085). Alternatively, if you use Google Chrome (http://www.theverge.com/2013/4/3/4180514/google-brings-password-autofill-sync-to-chrome-for-android) this can synchronise passwords across every Chrome browser you are logged into. Again however, we do not recommend or endorse either of these services nor do we guarantee that they are secure. Whichever solution you choose, you should do research to ensure:

  • You are happy with the price of the service
  • The service works on every device you want your passwords on
  • The service is secure – reading news articles and sticking to reputable services is the best way to tell this if you are not technically savvy
  • You understand how it all works – it’s easy using this not to get the most out of it. Also, some systems won’t ever let you back in if you forget your password (for your own security). Make sure you check these things before you decide on one.
  • In Conclusion

Password Managers can be very useful, but they are not entirely without risk (either technical or security). A good, if slightly older, discussion of this can be found on PC Pro (http://www.pcpro.co.uk/features/380377/password-managers-are-they-safe-which-is-the-best/page/0/1). If you choose to go for one, make sure you look into it and then research which one is the best for you! It’s not something you’re locked into, although it may be slightly inconvenient to move your passwords between two different password managers it can be done. So hopefully this has been an informative guide on how to improve the security and convenience of all your passwords! Our next article will look on increasing security using more than just passwords. Do you have any experience with password managers? Do you have any tips for people to help get the best out of it? Do you have any questions? Tell us via our Facebook or Twitter!

Simple Security: Passwords! (Stay Safe Online – Part 1)

Welcome to part one in our series on keeping your online accounts secure! Today, we’re going wordleto be dealing with one of the simplest ways to ensure that all your passwords are secure and your email account is locked down.

Most people assume that secure passwords have to be incredibly long, indecipherable strings of symbols and numbers that a computer itself would struggle to remember. While this may keep you secure, there are far easier and better ways to achieve this.

  • Use a different password for every* site

The easiest way to keep your passwords secure is to never use the same one online twice. There’s an “*” after every, because for sites that are very low risk (as in, it doesn’t matter if someone does get access), this rule could be bent slightly. But for every website that matters even slightly, use a different password for each one.

This means that if someone does get your password, they can only access one site with it which should very significantly slow down the amount of damage they can do before you can fix it all.

Secondly, you should not assume that all websites will keep your password safe. The secure way for them to store passwords is to turn it into an irreversible code, which they can compare the password to but can’t get the original password back out of (those interested in mathematics, or computer security, can read more at this Wikipedia link). However, some websites may not do this, and some websites may even be run by those who will try to use your email address and password to log into other websites.

Keeping a different password for every website reduces or removes these risks. In our next post, we’ll discuss ways that you can safely remember these passwords (no, sticky notes on monitors or Word documents on desktops don’t count!) so that this isn’t an inconvenience.

  • Use a secure password for every site

“I thought you said that there were far easier and better ways than very long complex passwords?”

Yes, there are! “S%V6Yap9ROzHj*t” is a password that was randomly generated just as this post was being written. It is very secure; long, almost impossible to guess (or remember) and very likely will be the only time this password will ever be used.

But if you’ve been on the internet for a while, you may have come across the comedic genius of XKCD. They have a rather different take on secure passwords:

Comic by XKCD for generating passwords - combining words and numbers may be better than a random indecipherable string

Thanks to XKCD for this, licensed under Creative Commons: Attribution Non-commercial 2.5. Source: https://xkcd.com/936/

As you can see, taking four simple words and putting them together makes a much more secure password than the one I suggested above.

Some websites may require capital letters, numbers, symbols or a minimum length for the password. That does help to keep a password secure; “phonebox” is very insecure, whilst “PhoneB0x1992!” suddenly becomes very secure (and isn’t much harder to remember).

Finally, pick a password suitable for the account. Anything to do with banking or money (for example, eBay, PayPal, online banking accounts etc.) should be very secure because more people will want into it than perhaps other less lucrative websites.

  • Keep an eye on the news

This one is simple. If the media reports a website has been hacked, change your password for it immediately. If you used the same password for any other websites, change it for all of those as well.

To be absolutely safe, you could consider changing your password for every website that you use – although that probably won’t be necessary. In every case, read any messages the affected websites send you and follow their instructions as well as the ones above!

  • Where do reset password emails go?

Most people will have forgotten at least 1 password in their life, and we all know the drill – click “Forgot Password?”, enter your account name or email address, maybe answer a security question and they’ll email you out a reset password link or new password in a few minutes.

So if someone has access to your email account that all your other accounts send emails to, then they can access pretty much all these other accounts with not much difficulty. And that’s before you consider the amount of personal information you probably have sitting in your Inbox.

You may be tempted to create a special email account for this purpose, but you still have to keep it totally secure or the same problems emerge. Instead, make sure any email accounts handling personal emails or emails from online services are kept as secure as possible! The following posts will detail further security (and convenience) measures you can take, and you should definitely read them.

Even if you decide that it’s too inconvenient for all your other online accounts, secure your email account! It will be the best thing you can do to secure all your other online accounts.

This article was written by Connor Stuart, a 2nd Year Informatics student at the University of Edinburgh

Stay Safe Online!

Over the next two weeks, the Digital Footprints campaign will be posting a series of guides to keeping your social media accounts (and all other online accounts) secure. You’ll find the list of articles below, which will link to each post as and when it is published.

  • Simple Security: Passwords & Email
  • Managing Those Passwords!
  • Beyond Passwords
  • Further Security and Conclusion

We hope this will be interesting and informative. Using the information that these guides provide will significantly reduce the risk of your account being accessed by unauthorised individuals.

Safer Internet Day 10 Feb 2015

In support of safer internet day logoSafer Internet Day 2015 , this blog post highlights some of the threats that you might face online, as well as simple ways to protect yourself.

One of the most common threats is called “phishing”. We get this in our email every day, or it can exist in any link that we might click on. Our friends in University College London have let us use their anti-phishing game. If you play this it’s a great way to see how to recognise phishing attacks, and how to avoid them.

And finally, Get Safe Online gives practical and sensible advice on how to protect yourself, your computers and mobiles device and your business against problems you might encounter online.

*Many thanks to Information Services, University of Edinburgh for writing this blog post*