Between April and October 2014, three malware threats have targeted secure web sites.  Heartbleed, ShellShock and POODLE are threats that focus on web sites beginning with https://, the kind of sites that require logins (account name and password) to protect data entered or stored in these sites.  POODLE might pose less risk than Heartbleed or Shellshock, but news reports on all three have increased consumer awareness about the risks to sites they may have intuitively trusted in the past.

POODLE also prompted the major web browser providers to escalate their plans to block https:// sites that do not use appropriate security.  Beginning in January 2015, warning messages will appear in Chrome, Firefox, and IE if the https:// destination is not using a SHA-2 (pronounced “shaw-too”) web security certificate. By 2016, most web browsers will block these sites.

A web site address (URL) that begins with https:// once indicated it was a secure login site.  In other words, a customer or member could login and provide sensitive information like credit card numbers without worrying whether or not their information would be stolen from the site. But https:// is no longer a guarantee of security for logins or the data entered after a successful login.  The security of the login and related data all depends on the type of security certificate in use by the web site’s host server.

Previously, security certificates could be trusted without question — similar to the trust implied by a notary’s stamp and signature.  The National Notary Association defines a notary as a “trusted, impartial witnesses to document signings.”  The signature that indicates a web site can be trusted is an algorithm on a web security certificate.  However, the integrity of the 20 year-old SHA-1 algorithm has been jeopardized as sophisticated cyber criminals learned how to defeat the certificate’s signature and access the databases of information stored in these secure web sites.

Replacing SHA-1 certificates with SHA-256, also called SHA-2, reduces the risk of data theft or loss on secure web sites, but not all web site owners or administrators are aware of the types of certificates in use on the servers that host their web sites.  At Rice University, the web sites hosted on IT servers, including sites supported by Web Services, have all been upgraded to the new SHA-2 certificates.

“Rice web site administrators and content managers with secure sites NOT hosted by IT should confirm with their host agency that the new SHA-2 certificates are in use,” said Andrea Martin, IT Director for Enterprise Applications.  “The SHA-2 certificates are important for web sites that use a secure login; their URLs begin https://  – the ‘s’ is the indicator that a certificate is involved.”

Barry Ribbeck is more interested in increasing awareness for Rice faculty, staff and students who login on web sites that are not using the new SHA-2 certificate.  “Most of the major web sites have already converted to the new SHA-2 certificate.  Amazon, Google, Facebook, LinkedIn.  There is an easy way to check, though.  Just copy and paste the login URL [for the web site you are about to enter] into one of the SHA certificate checkers and see for yourself if they are secure.”

Link certificate checkers include.

• https://sslanalyzer.comodoca.com
• https://www.tenable.com/pvs-plugins/8548
• https://github.com/jeffmurphy/poodle-prober

Please email questions about Rice web sites and SHA-1 or SHA-2 to the IT Help Desk: mailto:helpdesk@rice.edu.

Like a chess match, the moves of both cyber criminals and cyber attack prevention teams are motivated by the most recent activity of their opponent. Originating around 1995, early phishing emails were easily identified by poor spelling and grammar, which prompted attackers to clean up their content. Email recipients became wary of messages from unknown senders, so criminals learned to hide behind sender addresses of Fortune 500 companies and organizational Help Desks.

Similarly, attacks on institutional resources, web sites, applications and systems –which may have begun as amateurish pranks– grew into purposeful intrusions with intent to steal or corrupt. Antivirus tools for individual computers help thwart commonly downloaded malware, but do not have the capacity to patrol or influence menacing packets sailing through a network like tiny, voracious pirates. Unfortunately, with the escalation of  intensity and sophistication of email and network attacks, legitimate email and network traffic have become hampered by the overwhelming tide of malicious activity.

With the advent of RiceNet3, tools like Palo Alto’s Next Generation firewall platform and Splunk’s analysis and visualization products can be used in tandem to increase security and identify attacks as they begin. The Palo Alto system is a suite of tools designed to detect and protect against these attacks. Based on a next-generation firewall, the system also includes an intrustion prevention system that looks for known-malicious attempts to compromise resources on the network. Wildfire, another component of the Palo Alto system, evaluates suspicious content by comparing it against a cloud repository and by evaluating the content in a self contained virtual environment. If the content is determined to be malicious, subsequent instances are blocked.

Splunk is a big data analysis tool that can be used to establish a baseline of typical academic, research, and business processes based on network, system, and other log sources. It normalizes and correlates the data to generate alerts, produce reports and deliver actionable data. Splunk and Palo Alto have already been tested in targeted areas of the network, with a gradual roll out planned for the full network over an 18-month period beginning in spring 2015.

Last year, Target’s credit card system was hacked, and 40 million customers’ credit card and debit accounts were compromised (1). More recently, Home Depot realized its software had been invaded, and their customers’ credit card numbers were sold online (2). Earlier this fall, hackers stole personal information and “touched more than 83 million households and businesses” from customers of JPMorgan Chase and up to nine other financial institutions (3). What is this hacking crime that alarms the FBI, huge corporations such as Target, Home Depot, and JPMorgan Chase, and individuals alike, and what precautions can be taken to thwart hackers?

What is Hacking?

To hack, according to Merriam-Webster Dictionary, is “to gain access to a computer illegally” (4). Because many victims of hacking are unaware that they have been hacked, it is impossible to accurately track hacking incidents. However, hackers target many types of systems from personal e-mail accounts to multi-billion dollar company’s software systems. According to Marc Scarborough, Rice IT’s security officer, “Accounts are hacked to access resources, like expensive journals, intellectual property, or financial information.  They can be used to impersonate someone to email scam others, like phishing and ‘stolen passport’ scams.  They can also be used as a springboard into stealing other, more valuable accounts based on their ultimate goal, like banking records or access to corporate secrets.” The intentions of hackers are never kind!

Who are the Victims?

Anyone that has an account on the Internet can be a victim of hacking. Several Rice students and employees who were able to catch account breaches shared their experiences and offered advice for how to prevent hacking from occurring. Emma Hurt, a Rice senior, said that her email account has been hacked twice despite her utilizing “unique” passwords. Another Rice student had his personal yahoo email hacked; he, too, used different passwords for every personal account. Even Jim Rannik, who works in Rice’s Applications and Database Services Department and spends eight hours daily on the Internet for his career, had his PayPal account hacked. Hurt had mostly heard about adult victims of hacking, but she realized this was not always the case when she, a college student, was hacked. This emphasizes that regardless of knowledge, age, and experience with Internet safety, anyone can fall victim to hacking.

How to know if you’re being hacked?

Fortunately for these observant individuals, they realized when their accounts were breached. Hurt discovered she had been hacked when friends that she had not intentionally emailed responded to emails from her account. Although there was no record of these emails in her sent box, Hurt said that people she contacted both frequently and infrequently received the strange emails from her account. Although a “pretty unique” password protected her email, Hurt had used that username for multiple sites. For another student, the hacking red flag waved when he was unable to login to his email on a tablet. In this situation, too, the password was exclusive to that email. In Rannik’s case, he had setup an email alert when his PayPal made purchases over a certain amount of money. This safety precaution informed him that he had allegedly bought a gold plated iPhone on Ebay. Although a gold iPhone might be an exciting possession, Rannik did not want to foot the bill. “The iPhone was being purchased by someone in China. Thankfully, I was able to work with PayPal and my bank, and, after about a week, PayPal acknowledged the fraud, and returned the money to my bank.” For Rannik, he had used both his the account username and password on other sites. While these hackers were caught before much damage was done, Scarborough warned, “Many [victims] do not know they have been hacked.”

How to win against the hackers?

“There is a rule of thumb that says a password should be as secure as whatever it’s protecting,” explains Scarborough. As Hurt and Rannik learned, re-using passwords for multiple sites is a dangerous risk to take. The reason, Scarborough offers, is that attackers are aware of the human tendency to use the same password for simplicity’s sake. Scarborough finishes, “Most attackers know that if they have one password they can probably access everything.”

After falling prey to attackers, Rannik implemented new safety practices to protect his privacy and his accounts. He created a personal “password diversity formula” for all of his accounts’ usernames and passwords, and this has prevented subsequent attacks. Rannik offered advice from his experience in IT to help beat hack attacks:

Rannik’s Anti-Hack Strategies

1. Diversify your passwords. You can create your own method like Rannik, or Scarborough suggests password managers like KeePass, 1Password, or LastPass. (Scarborough explains, “Password managers support multifactor or multistep authentication that should be used for protection.”)
2. Never email or text anyone passwords. Hackers have computers running 24/7 to monitor accounts. Do not help them out by providing passwords in writing!
3. Never use public wifi for secure websites.
4. For banking accounts, set-up meaningful alerts.  Regularly check accounts (once per payday) for suspicious activity.
5. For online shopping, use CREDIT, not DEBIT because credit cards have greater fraud protection.
6. Immediately power off/disconnect the network connection if you are being hacked! 
7. Use an IOS, Incognito, or Private mode for secure website browsing.
8. Do not allow web browsers to save website login information. 

By taking these precautions, everyone, from college students to international corporations, can take steps to prevent hackers. As October, National Cybersecurity Awareness Month, comes to a close, be a good cyber citizen, take a stand against cybercrime, and exercise cybersafety! Go through and double-check that your passwords are safe.

1. http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/

2. http://www.businessweek.com/articles/2014-09-02/home-depots-credit-card-breach-looks-just-like-the-target-hack

3. http://dealbook.nytimes.com/2014/10/03/hackers-attack-cracked-10-banks-in-major-assault/?_php=true&_type=blogs&_r=0

4. http://www.merriam-webster.com/dictionary/hack

Come to Farnsworth Pavilion on Tuesday, October 21 from noon to 1:00 PM for tips on safely surfing the web.   For example, why do you see ads on some of your web pages after you’ve searched or shopped for an item online? How is your junk mail affected by your online habits? IT Security Officer Marc Scarborough uses several tools to show exactly how different web sites track your activity and how you can surf the Internet more safely.  Papa John’s Pizza will be served to the first 40 people; no RSVP required.

October is National Cybersecurity Awareness Month (NCSAM).  Each year, Rice University promotes awareness tips to guard against identity theft and the loss of Rice data and files.  In 2014, the NCSAM campaign include lunch sessions with guest presenters as well as desktop activities that can be completed individually.

Through guided email tips, learn how to protect yourself, your family, and Rice University’s data and files. Good online protection habits are fundamentally the same for personal or business usage. If you choose to participate, you’ll receive four emails during the month of October suggesting some actions to take to tighten up your online security habits. As an incentive to complete tasks, you can earn points to be entered into a  drawing for a variety of donated prizes, including plus two Rice football tickets and two Rice basketball tickets, courtesy of Rice Athletics.  To sign up, send your name and email address to Liz Brigman (liz@rice.edu).

Pizza Lunches

Pizza and drinks provided for 40 people; no RSVP required.  All lunch events occur in Farnsworth Pavilion in the RMC.

• October  9 – Social Media
• October 17 – Research & HIPPA Storage
• October 21 – Safe Web Browsing
• October 30 – Identity Theft Precautions

If your inbox was held for ransom, would you pay to get it back?

In his article, “The Value of a Hacked Email Account,” former Washington Post reporter Brian Krebs diagrams multiple services that are typically linked to an email account. When the email account is hacked and comes under a criminal’s control, those other services and accounts are also controlled by the criminal. Do you login to your financial accounts with your email address? After you shop online, do receive confirmations and shipping notices by email? Do you discuss research projects with your office colleagues by email? Do you send or receive payroll information via email? Personal data, photos, health matters… all these messages can add value to your email account on the black market.

Want to guess how much your iTunes account is worth? Answer: $8 in June 2013. In fact, if you had only the highest-value 6 of the 18 accounts mentioned in Kreb’s 2013 article, your email account was worth around $30 at that time. And that is not what YOU would be willing to pay if your inbox was held for ransom. That is just a starting street price for your account information on the black market.

Marc Scarborough, IT Security Officer at Rice University, continues advocating the same precautions that Krebs uses to conclude his article: multi-factor authentication and safe computing to ensure your devices are not infected with password seek-and-send malware. Scarborough also urges the use of different passwords for different accounts.

Contact the IT Help Desk (713.348.4357, helpdesk@rice.edu)  if you think your Rice NetID password may have been compromised in a phishing campaign or other criminal activity.

Although phishing gets a lot of attention, it is not the worst problem universities face when trying to protect confidential and sensitive data.  Three cultural factors also elevate the risk of losing or exposing personal information, research data, legal or financial information, or a host of other bits and bytes about university community members, donors, and partners.  After the CIO for the University of Maryland (UMD) was ousted following a tremendous data loss, he shared insights on the cultural challenges yet to be overcome in universities attempting to guard against a similar breach.  UMD had invested heavily in hardware, software and humanware defenses, and still fell prey to a cyberattack leading to “one of the largest data breaches ever in higher education.”

The three cultural challenges Brian D. Voss identified in his blog post are:

1. A culture of data retention (everybody keeps everything)
2. A culture of frugality in IT (budgets inadequate to follow best practices)
3. A culture of IT subservience (IT may be a customer service organization most of the time, but cannot be customer-service driven when creating and enforcing policies regarding information security).

Changing the culture of a university is no small feat.  The administrators and IT governance groups for each institution in higher education will discuss and take appropriate steps for their own campus. In the mean time, individuals in each institution can mitigate the risk of data loss in their own areas by using university owned or contracted email and storage solutions, secure networks like eduroam or university-controlled networks, and practicing safe computing habits.

For more information on safe computing habits, see Rice’s Information Security training modules: http://infosecurity.rice.edu.

Before you respond to an email warning you about your account activity, status, or deletion, check two things:

1. sender’s email address
2. the URL, before you click it

phishing: /ˈfiSHiNG/ noun, email asking you to verify your account

Phishing remains a big problem when it comes to protecting university data and individual identities. Educational institutions are targeted more frequently* than government organizations when it comes to cybersecurity attacks.  In a recent EDUCAUSE Live! Webinar, the Department of Homeland Security noted a trend in Intellectual Property Theft against US Academia.  In 2013, “unknown cyber actors targeted universities in US, the UK and Israel” and the attacks resulted in data losses of medical research, passwords and personally identifiable information.  In February 2014, additional data breaches targeted US universities in the Northeast.

In another case study of a higher education data breach, university employees received spear-phishing emails which led to cyber criminals stealing $48,500 by changing the destination of the employees’ direct deposit information.   The Department of Homeland Security suspects information stolen during the the Northeast data breaches in February 2014 will also be used for future spear phishing or social engineering attacks as well as identity theft.

Phishing is real.  The threat  to intellectual property and other sensitive university data is real.  Please take precautions to lower the threat posed by these attacks by deleting unsolicited messages regarding your accounts and by using your NetID password ONLY in Rice-managed accounts.

If you fall for a phishing scam, contact the IT Help Desk immediately to reset your password:  713.348.HELP (4357) or helpdesk@rice.edu. To learn more information about phishing, browse through the email module of the Information Security web site: http://infosecurity.rice.edu/.

*ECAR study, May 2014 – http://net.educause.edu/ir/library/pdf/ECP1402.pdf

While most Rice faculty, staff and graduate students are concerned about how to get a new computer, IT is equally concerned about how old computing equipment leaves the campus.  At the June Administrator’s Forum, Yemeen Rahman, IT Director for Business Services and Projects, walked department representatives through a simple process for hardware disposal (PDF).

Hardware includes any type of device with memory, from computers to flash drives, external hard drives and printers.  To protect the university from data loss, IT has taken on the task of wiping the data of these systems and peripherals before they are sent off campus for disposal.  To initiate the hardware disposal process, contact the IT Help Desk: 713.348.4357 or helpdesk@rice.edu.