Digital Security Updates - Perspective from GSS Representative to FSCICT Kate Dunning

posted Apr 15, 2014, 6:10 PM by Raymond Muzic

Note sent 4/15/2014

--

Hello all,

Two parts to this email: (1) updates in the wake of the Heartbleed security breech and (2) two potential updates to CWRU's approach to digital security.

---

Heartbleed Security Updates

Coming out of yesterday’s meeting of FSCICT (Faculty Senate Committee on Information and Communication Technology) I would like to send some important updates concerning digital security in the wake of the Heartbleed security breech, which I’m sure you have all heard about by this point.

Many companies are working on patching their sites, but here’s what you can do:

·         Change your passwords for important sites, like your finance related websites, your social media sites, your CWRU passwords, etc. Many companies will not ask you to reset your password, but it is a good idea to do so by going directly to the website, rather than using an alternate link. To emphasize CWRU is not pushing password changes as a reaction to the Heartbleed OpenSSL vulnerability and will not be sending a link asking you to reset your password because there is no indication that accounts were compromised. That said, resetting your password is good in a general context.

·         Consider using a password manager like LastPass, which is a free service if used only on the computer or $12 per year to use it on your mobile phone as well. This site allows you to create one complex passphrase that you can remember and then auto-generate complex, secure passwords for your other sites. There are additional security factors available through this service as well, including two-factor authentication. I would be more than happy to help anyone interested in setting this up. It’s very simple, secure, and effective.

·         Consider using a two-factor authentication. Facebook, among others, for example, allows you to have a code texted to your phone when you enter your password into the website. This way, if someone gets your password, they still cannot access your account (and you are aware that someone has attempted to access your account). While CWRU Single Sign-On does not yet offer two-factor authentication, there is a pilot for two-factor authentication when using VPN. Remember, using a service like LastPass allows you the option for two-factor authentication on any site.

·         Be aware of phishing attacks, especially in the wake of Heartbleed. Many attackers are using this as an opportunity to send emails asking you to reset your password by misdirecting you to a phishing website. Always type in the site URL yourself, rather than using the link from the email. The Chief Information Security Officer reported yesterday that most CWRU accounts that are compromised are compromised through phishing attacks rather than hacked passwords. So have strong passwords, but also pay careful attention to where you enter those passwords.

·         When possible use a passphrase rather than a password. For example, “My cat is adorable” could become “*My_cat_is_adorable!*2010”—this 25 character phrase is a lot easier to remember and just as secure as this 25 character gibberish: dfjKH35#d9&d)dh!Ujdwhnd_m. Another option recommended, especially if limited in characters, is taking the first letter of each word in a favorite lyric, poem, or phrase. So, if your favorite song goes, “I can call you Betty, and Betty when you call me, you can call me Al,” then you’ve got, “PS-IccyB,&Bwycm,yccmA.<1986>”—or some variation on that based on character constraints.

 

General CWRU Digital Security Update

CWRU is very concerned with making sure that all accounts are secure and important information protected.

As part of this effort, two changes are under consideration and your feedback is appreciated if you have an opinion: (1) increasing the passwords for Single Sign-On to a 12-15 character requirement and (2) adding an optional (and perhaps eventually required) two-factor authentication for Single Sign-On.

If you like or have concerns about either of these possibilities, please don’t hesitate to send your comments to me.

Thank you and I hope some of this information is useful for you!

Best,
Kate

PS - For those who are also Paul Simon fans, here's a bonus for making it through the whole email: You Can Call Me Al and The Boxer


---
Kate Dunning
Ph.D. Candidate
The Department of English
Case Western Reserve University
Comments